AT 08: AUDITING IN AN IT ENVIRONMENT
Auditing In an Information Technology Environment
An IT environment exists when a computer of any type or size is involved in the processing by an
entity of financial information of significance to the audit, whether the computer is operated by
the entity or third party.
IT Environment consists of the IT applications and supporting IT infrastructure, as well as the
IT processes and personnel involved in those processes, that an entity uses to support business
operations and achieve business strategies. With this, IT environment includes:
i.
An IT application is a program or set of programs that is used in the initiation, processing,
recording and reporting of transactions or information. IT applications include data
warehouses and report writers.
ii. The IT infrastructure comprises the network, operating systems, and database in their
related hardware and software.
iii. The IT processes are the entity’s processes to manage to the IT environment, manage
program changes or changes to the IT environment and manage IT operations.
Terms Used in IT Environment
Type of Computer Systems
1. Management Reporting System – designed to help with the decision making process by
providing access to computer data.
a) Decision support system – computer-based information systems that combine models
and data to resolve non-structured problems with extensive user involvement.
b) Executive information system – computerized systems that are specifically designed
to support executive work.
c) Expert system – computer systems that apply reasoning methods to data in a specific
relatively structured area to render advice or recommendations.
d) Management Information System – systems designed to provide past, present and
future information for planning, organizing and controlling the operations of the
organization.
2. Transaction Processing System – involves the daily processing of transactions.
Types of Computers
1. Supercomputers – extremely powerful, high-speed computers for extremely high volume
and/or complex processing needs.
2. Mainframe computers – large, powerful, high-speed computers.
3. Minicomputers – while large and powerful, they are not as large or powerful as mainframe
computers.
4. Microcomputers – small computers, such as personal computers and laptops.
5. Personal digital assistants – mobile, handheld computers.
Basic Components
Hardware
Hardware are physical devices or equipment used to accomplish data processing function.
Hardware includes:
Input – the purpose of these devices is to convert information into a machine-readable form.
Examples of input devices:
a) Keying data
Key data to tape and key to disk in which data can be entered directly on tapes and disks
respectively through a CRT, and then read into a computer.
b) Online Entry
1. Visual display terminal (uses keyboard to directly enter data into computer)
▪
Input interface – a program that controls the display for the user (usually on a
computer monitor) and that allows the user to interact with the system.
▪
Graphical user interface – uses icons, pictures, and menus instead of text inputs
(e.g. Windows)
▪
Command line interface – uses text-type commands
2. Mouse, joystick, light pens
3. Touch-sensitive screens – allows users to enter data from a menu of items by touching
the surface of the monitor.
c) Turnaround documents – documents that are sent to customers and returned as inputs
(e.g. Utility Bills).
d) Automated source data input devices.
1. Magnetic Tape Reader – a device capable of sensing information recorded as magnetic
spots on magnetic tape. This device can also be used as an output device and storage
medium.
2. Magnetic ink character reader (MICR) – a device that reads character by scanning
temporarily magnetized characters using magnetic ink (e.g. bank check readers).
3. Optical character recognition (scanner) – a device that reads characters directly from
documents based on their shapes and positions on the source document.
4. Cathode Ray Tube (CRT) – typewriter-like device that decodes key stroke into electric
impulses.
5. Automated Teller Machines (ATM) – a machine used to execute and record
transactions with financial institutions.
6. Point-of-Sale (POS) recorders – a terminal connected to a computer connected. It takes
the place of a cash register or similar device which allows instant recording of
transactions and is capable of keeping perpetual inventory.
7. Voice recognition – a system that understands spoken words and transmits them into
a computer.
e) Electronic commerce and electronic data interchange – involves one company’s computer
communicating with another’s computer.
Central Processing Unit (CPU) is the principal hardware component and processes programs of
instructions of manipulating data. It contains the:
a) Control unit – interpreter of program codes that will manipulate the data.
b) Storage unit – data retention.
c) Arithmetic and Logic Unit (ALU) – performs arithmetic and logic functions.
Secondary storage device – serves as storage support for the CPU.
a) Method of access
1. Random – data can be easily accessed directly regardless of how it is physically stored
(e.g. magnetic disk).
2. Sequential – data must be processed in the order in which it is physically stored (e.g.
magnetic tape, cartridges)
b) Storage devices
1. Magnetic tape – primary medium for backing up random-access disk files and
considered to be the cheapest type of storage available.
2. Magnetic disks – include CDs (mainframe) and hard disks or drives (microcomputers).
3. Redundant array of independent disks (RAID) -
way of storing the same data
redundantly on multiple magnetic disks to minimize the likelihood of loss data.
4. Compact disks, floppy disks and zip disks.
5. Optical disks – use laser technology to store and read data.
Output – these devices translated processed data into forms understandable by users.
Examples include:
a) items in letter c and d of input devices.
b) Monitor
c) printers
d) plotters
e) computer output to microfilm or microfiche (COM)
Software
This consists of sets of instructions (programs) that direct, control and coordinates the operation
of the hardware components.
1. Systems software
a) Operating system – is a group of computer programs that monitor and control all the
input, output, processing and storage devices and operations of a computer (e.g. DOS,
Windows, Linux, Mac, etc.). It controls the functioning of the CPU and other
peripheral equipment.
b) Utility (user) programs – handle common file, data manipulation and “housekeeping”
tasks. It performs commonly required process such as sorting and merging.
c) Communication software – controls and supports transmission between computers,
computer and monitors, and accesses various databases.
2. Application software (also known as ‘apps’) – are written by programming languages such
as Turbo C, Assembly, Java, Visual Basic and COBOL. These are programs designed for
specific users or desired processing tasks such as payroll preparation, word processing,
graphics, database systems and accounting software.
3. Database management system (DBMS) – a software package for the purpose of creating,
assessing, and maintaining a database.
4. Source program – a program written in language from which statements are translated
into machine language.
5. Object program – converted source program that was changed using a compiler to create
a set of machine-readable instructions.
6. Compiler – produces a machine language object program from a source program
language.
7. Interpreter – converts each source code instruction to object code each time it is executed.
8. Virtual memory (storage) – online secondary memory that is used as an extension of
primary memory, thus giving the appearance of larger, virtually unlimited internal
memory.
Different Types of Electronic Data Processing Systems
1. Batch Processing – data are accumulated and processed in groups.
2. Online or Real Time (OLRT) processing – processing takes place simultaneously as the
data are entered into the computer (the peripherals are on direct contact with the CPU).
3. Database Systems – enables data synchronization by maintaining one copy of important
records is locked in an organized file system (database) which is shared by various users
without the necessity of maintaining a copy of the file for themselves. Eliminates data
redundancy. Current systems entrust responsibility of database maintenance and control
over a database administrator.
4. Computer Networks
Network Environment
A network is a group of interconnected computers and terminals. A network environment is a
communication system that enables users to share computer equipment’s, application, software,
data, and voice and video transmissions.
Types classified by geographical scope:
1. Local Area Network (LAN) – communication networks that allow resources, data and
program sharing within a limited geographical area.
2. Wide Area Network (WAN) – computer networks that span over large geographical area.
3. National Area Network (NAN) – covering an entire country.
4. Internet – covering the globe.
Network-related technologies:
1. Distributed Data Processing – sharing of information and programs by large numbers of
users. This set-up calls for computer security because of a wider risk exposure to unwanted
access.
2. Electronic Data Interchange – the use of telecommunication links (cable wire, radio, fiber
optics, microwave, laser and other electromagnetic transmissions) to exchange business
data. The significantly reduces the audit trail.
3. End User Computing – the user departments develop and execute certain computer
applications (generate and use its own information).
Internal Controls in an IT Environment
General Controls
Control policies and procedures that relate to the overall computer information system.
General IT controls covers controls over the entity’s IT processes that support the continued
proper operation of the IT environment, including the continued effective functioning of
information processing controls and the integrity of information (i.e. the completeness, accuracy
and validity of information) in the entity’s information system.
Organizational Controls
Organizational controls are designed to define the strategic direction and establish an
organization framework over IT activities including:
●
Strategic information and technology plan.
●
Policies and procedures.
●
Segregation of incompatible functions.
●
◦
Between the IT department and the user departments.
◦
Segregation of duties within the IT departments.
Monitoring of IT activities performed by third party consultants.
Responsibility within an Information System Department
1. Information system management – handled by a Chief Information Officer and supervise
the operation of the department.
2. Systems analysis – responsible for designing information systems. Focus on setting the
goals of the information system and means of achieving them after considering the goals
of the organization and the computer processing needs of the entity.
3. Application programming – codes the system specifications determined by system
analysts using programming languages (Pascal, C, FoxPro, etc.).
4. Database Administration – focus on planning and administering the database by
designing it and controlling its use.
5. Data Entry – prepare and verify input data for processing.
6. Computer Operation – run and monitor central computer in accordance with standard
instructions. Sometimes operators may need to access computer console to correct
indicated errors in processing; this is a risk exposure that an operating system should be
designed to maintain a log of computer operator intervention. Also, computer operation
should be separated with application programming to mitigate the possibility of unauthorized
changes in computer programs.
7. Program and File Library – protects computer programs, master files, transaction tapes
and other records from loss, damage, unauthorized use or alteration.
8. Data Control – review and test all input procedures, monitor computer processing, reviews
exception reports, handles reprocessing of exceptions detected by the computer and
distributes all computer output; also review computer log of operator intervention and library
log of program usage.
9. Telecommunications – responsible for maintaining and enhancing computer networks
and network connections.
10. Systems Programming – responsible for troubleshooting the operating system or systems
in use, upgrading it and working with application system programs in case of
incompatibility with the operating systems.
11. Quality Assurance – ensures that new systems developed and old ones being replaced are
controlled with and ensures the new system to meet user specification and documentation
standards.
Systems Development, Maintenance, and Documentation Controls
1. User department must participate in system design.
2. Written system specification must be required and approved by management and user
department.
3. Both user and IT personnel must test new systems.
4. Management, user and IT personnel must approve new system before implementation.
5. Control of all master and transaction files to avoid unauthorized changes.
6. All program changes should be approved.
7. Adequate documentation should be made to facilitate the use of programs.
Access Controls
Access controls provide reasonable assurance that access to equipment, files and programs are
limited only to authorized personnel.
1. Physical access control
a) Limited physical access – guard, automated key cards and manual key locks.
b) Visitors entry log
2. Electronic access control
a) Requiring user identification (specifically on online systems) and regular changes of
passwords.
b) Defining user data access privilege.
c) Call back – users dial up for access to the IT system, the system logs them out and then
re-establish communication link when identification link when identification is
established.
3. Hardware controls
a) Diagnostic routines – hardware or software supplied by manufacturers to check the
internal operations and devices within the computer system.
b) Boundary protection – to ensure integrity of the allocated memory for a job currently
under a simultaneous processing in a multi-programming environment.
4. Data transmission controls – procedures established to prevent unauthorized access or
changes to information being transmitted via telecommunication facilities:
a) Parity check – data are processed and transmitted by computers in arrays of bits.
Redundant bit may be added to verify the integrity of the information that is processed
or transmitted.
b) Data encryption – data are coded into secret characters to avoid unauthorized
individuals from reading the information.
c) Message acknowledgment technique (ex. Echo check) – receiving device sends a
message that verifies a transmission back to the sending device.
d) Private lines – using phone lines owned or leased by the organization, thereby more
secure.
Other Access Control Activities:
a) Programming the operating system to generate a computer log of failed access attempt
and generates warnings for repeated across failure.
b) Programmers should not have access to input data or application programs that are
currently used.
c) Computer operators should be restricted only to the application programs currently being
used.
d) Computer operators should be limited access only to operations manual (instructions for
processing programs) and not detailed program documentations.
Data and Procedural Controls
●
Data control group receives all data for processing, ensures complete recording, and
follow-up errors, determine that data are corrected and resubmitted by user departments
and verify output distribution.
●
Processing controls:
1. Written manual of systems and procedures for all computer operation.
2. Back-up and recovery:
a) Grandfather-father-son principle on file retention – a back-up system employed in
a batch processing that enabled reproduction of destroyed or lost master files from
multiple (3) generations of master files.
b) Snapshots – daily picture (copy) of the data files taken and retained until the weekly
file is prepared, which are retained until the monthly file is prepared, which are
also retained until the annual file is created.
3. Contingency processing – detailed processing plans to be tapped in case of disasters
and may include a:
a) Reciprocal agreement/Mutual aid pact.
b) Internal site
c) Hot site – back-up centers that are already installed with equipment.
d) Cold site – back-up centers that are ready for equipment to be brought in.
4. File Protection Rings – enables writing to a magnetic tape only when the ring is on
the magnetic tape. This controls operator error by writing data on tapes containing
critical information.
5. Internal and External Labels – provides identification of files to avoid destruction.
Monitoring Controls
Monitoring controls design to ensure that IT controls are working effectively. These may include:
●
Monitoring of key IT performance indicators
●
Internal/External IT audits.
IT Application Controls
Control policies and procedures that relate to specific use of a system in order to provide
reasonable assurance that all transactions are authorized, recorded, and are processed completely,
accurately and on a timely basis.
In an IT environment, application controls are controls relating to the processing of information
in IT applications that directly address risks to the integrity of information (i.e., the completeness,
accuracy and validity of transactions and other information).
This may include:
Controls Over Input
Controls over input is designed to provide reasonable assurance that:
●
Transactions are properly authorized before being processed by the computer.
●
Transactions are accurately converted into machine readable form and recorded in the
computer in the computer data files.
●
Transactions are not lost, added, duplicated, or improperly changed.
●
Incorrect transactions are rejected, corrected and, if necessary, resubmitted on a timely
basis.
●
Common examples of controls over input are key verification, field check, validity check,
self-checking digit, limit check, control totals (financial, hash and record count).
a) Limit test – test of reasonableness of a field of data using predetermined upper and
lower limit.
b) Validity test – a comparison of data against a master file or table for accuracy.
c) Self-checking digit – contains redundant information permitting accuracy check.
d) Completeness check – processing will not continue unless all data required are
supplied (also missing data check).
e) Control total – the total of one field of information for all items in a batch.
▪
Item (Record) count – a count of the number of items or transactions being input
in a given batch.
▪
Financial total – the total of the amount for all items in a batch.
▪
Hash total – a total of one field of information for all items in a batch that has no
intrinsic meaning.
f)
Menu driven input – contains of set of menus or Q&As that guides the user completion
of all the required data.
g) Field check – ensures that the proper character is supplied in a given field (i.e.
Character only, numeric only or alphanumeric only).
h) Field size check – ensures that the data supplied is within a number of digits or strings
i)
of characters required for the field.
Logic tests – rejects data encoded which are illogical or inconsistent.
Controls Over Processing
Controls over processing is designed to provide reasonable assurance that:
●
Transactions are processed accurately.
●
Transactions are not lost, added, excluded, duplicated or improperly changed.
●
Processing errors are identified and corrected on a timely basis.
Auditing in an IT Environment
The overall objective and scope of an audit, including auditor’s responsibilities, does not change
in an IT environment.
The overall objective and scope of an audit does not differ whether the entity operates in a mainly
manual environment, a completely automated environment, or an environment involving some
combination of manual and automated elements (i.e. manual and automated controls and other
resources used inn the entity’s system of internal control).
An IT environment may affect:
1. Auditor’s consideration of internal control which will include an assessment of
computerized as well as manual controls.
2. Auditor’s assessment of control risk.
3. Procedures to be performed in considering internal control and performing substantive
tests.
Risk Assessment Procedures
1. The auditor should obtain an understanding of the significance and complexity of the IT
environment to be able to design further audit procedures. Furthermore, the following are
the significance why the auditor should understand the IT environment relevant to the IT
environment relevant to the information system:
◦
The auditor’’s understanding of the information system includes the IT environment
relevant to the flows of transactions and processing of information in the entity’s
information system because the entity’s use of IT applications or other aspects in the
IT environment may give rise to risks arising from the use of IT.
◦
The understanding of the entity’s business model and how it integrates the use of IT
may also provide useful context to the nature and extent of IT expected in the
information system. Understanding the entity’s use of IT.
◦
The auditor’s understanding of the IT environment may focus on identifying, and
understanding the nature and number of, the specific IT applications and other
aspects of the IT environment that are relevant to the flows to transactions and
processing of information in the information system. Changes in the flow of
transactions, or information within the information system may result from program
changes to IT applications, or direct changes to data in databases involved in
processing, or storing those transactions or information.
◦
The auditor may identify the IT applications and supporting IT infrastructure
concurrently with the auditor’s understanding of how information relating to
significant classes of transactions, account balances and disclosures flow into, through
and out the entity’s information system.
2. When obtaining an understanding of the significance and complexity of the IT
environment, the auditor may use automated tools and techniques. Examples of
procedures that may be performed include:
◦
Perform risk assessment procedures on large volumes of data (from the general ledger,
sub-ledgers or other operational data) including for analysis, recalculations, reperformance or reconciliations.
◦
Perform analytical procedures (commonly called data analytics).
◦
Observe or inspect, in particular assets, for example through the use of remote
observation tools (e.g. a drone).
◦
Understand flows of transactions and processing as part of the auditor’s procedures
to understand the information system. An outcome of these procedures may be that
the auditor obtains information about the entity’s organizational structure or those
with whom the entity conducts business (e.g. vendors, customers, related parties).
◦
Obtain direct access to, or a digital download from, the database in the entity’s
information system that store accounting records of transactions. With this, the
auditor may confirm the understanding obtain about how the transactions flow
through the information system by tracing journal entries, or other digital records
related to a particular transaction, or an entire population of transactions, from
initiation in the accounting records through to recording in the general ledger.
◦
When automated procedures are used to maintain the general ledger and prepare
financial statements, such entries may exist only in electronic form and may therefore
be more easily identified through the use of automated techniques.
3. Understanding the risks arising from the use of IT and the general IT controls
implemented by the entity to address those risks may affect:
◦
The auditor’s decision about whether to test the operating effectiveness of controls to
address risks of material misstatement at the assertion level.
◦
The auditor’s assessment of control risk at the assertion level.
◦
The auditor’s strategy for testing information produced by the entity that is produced
by or involves information from the entity’s IT applications.
◦
The auditor’s assessment of inherent risk at the assertion level.
◦
The design of further audit procedures.
For the IT applications relevant to the information system, understanding the nature and
complexity of the specific IT process and general IT controls that the entity has in place
may assist the auditor in determining which IT applications the entity is relying upon to
accurately process and maintain the integrity of information in the entity’s information
system. Such IT applications may be subject to risks arising from the use of IT.
4. The auditor shall also consider risk arising from the use of IT. Such risks may arise from:
◦
Susceptibility of information processing controls to ineffective design or operation, or
risks to the integrity of information (i.e. the completeness, accuracy and validity of
transactions and other information) in the entity’s information system, due to
ineffective design or operation of controls in the entity’s IT processes.
◦
Risks to the integrity of information arise from susceptibility to ineffective
implementation of the entity’s information policies, which are policies that define the
information flows, records and reporting processes in the entity’s information system.
Information processing controls may be automated (i.e. embedded in IT applications)
or manual (e.g. input or output controls) and may rely on the controls, including other
information processing controls or general IT controls.
Identifying risks arising from the use of IT and general IT control
In identifying the risks arising from the use of IT, the auditor may consider the nature of
the identified IT application or other aspect of the IT environment and the reasons for it
being subjected to risks arising from the use of IT. Major considerations include:
◦
the auditor may identify applicable risks arising from the use of IT that relate primarily
to unauthorized access or unauthorized program changes, as well as that address risks
related to inappropriate data changes (e.g. the risk of inappropriate changes to the data
through direct database access or the ability to directly manipulate information).
◦
Extent and nature of the applicable risks arising from the use of IT. The extent and
nature of the applicable risks arising from the use of IT vary depending on the nature
and characteristics of the identified IT applications and other aspects of the IT
environment, applicable IT risks may result when the entity uses external or internal
service providers for identified aspects of IT environment (e.g. outsourcing the hosting
of its IT environment to a third party or using a shared service center for central
management of IT processes in a group).
Applicable risks arising from the use of IT may also be identified related to cyber security.
Also, it is more likely that there will be more risks arising from the use of IT when the
volume or complexity of automated application controls is higher and management is
placing greater reliance on those controls for effective processing of transactions or the
effective maintenance of the integrity of underlying information.
Specific examples of risk arising from the use of IT.
Examples of risks arising from the use of IT include risks related to inappropriate reliance
on IT applications that are inaccurately processing data, processing inaccurate data, or
both, such as:
◦
Unauthorized access to data that may result in destruction of data or improper
changes to data, including the recording of unauthorized or non-existent transactions,
or inaccurate recording of transactions. Particular risks may arise where multiple
users access a common database.
◦
The possibility of IT personnel gaining access privileges beyond those necessary to
perform their assigned duties thereby breaking down segregation of duties.
◦
Unauthorized changes to data in master files.
◦
Unauthorized changes to IT applications or other aspects of the IT environment.
◦
Failure to make necessary changes to IT applications or other aspects of the IT
environment.
◦
Inappropriate manual intervention.
◦
Potential loss of data or inability to access data as required.
5. The auditor should have sufficient knowledge of the IT to plan, direct, supervise and
review the work performed. Also, the auditor should determine if assistance from the
expert is needed.
When an entity has greater complexity in its IT environment, identifying the IT
applications and other aspects of the IT environment, determining the related risks
arising from the use of IT, and identifying general IT controls is likely to require the
involvement of team members with specialized skills in IT. Such involvement is likely to
be essential, and may need to be extensive, for complex IT environments.
IT Characteristics and Considerations
Organizational Structure
1. Concentration of functions and knowledge.
Because of the ability of the computer to process data, several functions are combined and
the number of persons involved in the processing of financial information is significantly
reduced.
2. Concentration of programs an data.
Transaction and master file data are often concentrated, usually in machine-readable
form, making it more vulnerable to unauthorized alteration.
Nature of Processing
1. Lack of visible transaction trails (input, output and audit trail).
In an IT environment, data may be entered directly into the computer system without
supporting documents. Also, records and files may not be printed and cannot be read
without using the computer.
2. Ease of access to data and computer programs.
Data and computer programs may be accessed by unauthorized persons, either at the
computer or through the use of computer equipment at remote locations, leaving no
visible evidence.
Design and Procedural Aspects
1. Consistency of performance.
IT performs functions exactly as programmed. An incorrect program may result to
consistently erroneous processing that could have an adverse effect to the entity.
2. System generated transaction.
Some transaction may be initiated by the IT itself without the need for an input document.
3. Programmed control procedures.
The nature of computer processing allows the design of internal control procedures in
computer programs.
4. Single transaction update of multiple or data base computer files.
Test of Controls
The effectiveness of application controls is greatly affected by the effectiveness of general
controls. Accordingly, it may be more efficient to review the design of the general controls before
reviewing the application controls.
Application controls which the auditor may wish to test include manual controls exercised by
the user, controls over system output, and programmed control procedure.
Audit Approaches – Test of Controls
The auditor’s test of controls vary depending on whether the audit evidence generated by the
computer is:
1. External to the computer, and therefore directly observable.
◦
Procedures involved are usually inquiries, observation and inspection of documents.
◦
Auditing around the computer technique is applied.
2. Internal to the computer technique is applied.
◦
Require the auditor to use the computer to obtain reasonable degree of assurance that
controls are operating as planned.
To test these controls, the auditor may do the following:
1. Black box approach (Auditing around the computer).
◦
It involves procedures generally performed in testing manual control structure.
◦
Focuses solely on the input documents and the IT output.
◦
The auditor ignores the client’s data processing procedures.
2. White box approach
a) Auditing with the computer.
▪
The auditor uses the computer as an audit tool.
b) Auditing through the computer.
▪
The auditor enters the client’s system and examines directly the computer and its
system and application software using CAATs.
Computer -Assisted Auditing Techniques (CAATs) For Test of Controls
1. The following are the factors considering in using CAATs:
a) Degree of technical competence in IT.
b) Availability of CAATs and appropriate computer facilities.
c) Impracticability of manual tests.
d) Effectiveness and efficiency.
e) Timing of tests
2. Test of controls using CAATs may be divided into the following categories of techniques:
a) Program analysis
b) Program testing
c) Continuous testing
d) Review of operating systems
Program Analysis
These techniques allow the auditor to gain an understanding of the client’s program.
a) Code review – this technique involves actual analysis of the logic of the program’s
processing routines.
b) Comparison programs – these programs allow the auditor to compare computerized files.
c) Flowcharting software – this is used to produce a flowchart of a program’s logic and may
be used both in mainframe and microcomputer environments.
d) Program tracing and mapping – program tracing is a technique in which each instruction
executed is listed along with control information affecting that instruction. On the other
hand, program mapping identifies sections of code that can be “entered” and thus are
executable.
These techniques allow the auditor to recognize logic sequence or dormant section of code
that may be a potential source of abuse.
e) Snapshot – this technique in essence “takes a picture” of the status of program execution,
intermediate results, or transactions data at specified processing points in the program
processing.
This technique helps the auditor to analyze the processing logic of specific programs.
Program Testing
Program testing involves the use of auditor-controlled actual or simulated data. The approach
provides a direct evidence about the operation of programs and programmed controls.
Test Data
●
A set of dummy transactions is developed by the auditor and processed by the client’s
computer programs to determine whether the controls which the auditor intends to test
are operating effectively.
●
Test data shifts control over the processing to the auditor by utilizing the client’s software
to process both valid and invalid transactions.
●
If embedded controls are functioning effectively, the client’s software should detect all the
exceptions planted in the auditor’s test data.
Integrated Test Facility (ITF) or Integrated Test Data or Mini Company Approach
●
This method introduces dummy transactions into a system in the midst of live
transactions and is usually built into the system during the original design.
●
Integrates fictitious and actual data without management’s knowledge, allowing the
auditor to compare the client’s output with the results expected by the auditor.
●
One way to accomplish this is to incorporate a simulated or subsidiary into the accounting
system with the sole purpose of running test data through it.
Base Case System Evaluation (BSCE)
●
A special type of test data.
●
Can provide an auditor with more assurance than test data alone.
●
Develops test data that purports to test every possible condition that an auditor expects a
client’s software will confront.
●
Time-consuming and expensive to develop and therefore cost-effective only in large
computer systems for which the auditor can rely on internal auditors to develop the base
case.
NOTE: When using these techniques, each control need only be tested once because
several problems may be encountered during testing. These problems include, but not
limited to, the following:
1. Making certain the test data is not included in the client’s accounting records.
2. Determining that the program tested is actually used by the client to process data.
3. Adequately developing test data for every possible control.
4. Developing adequate data to test key controls may be extremely time-consuming.
Parallel Simulation
●
Shifts control over the computer software.
●
This technique processes actual client data through an auditor’s generalized audit
software program and frequently, although not necessarily, the auditor’s computer.
●
After processing the data, the auditor compares the output obtained with the output
obtained from the client.
●
If the client’s software is operating effectively, the client’s software should generate the
same exceptions as the auditor’s software.
The limitations of this method are:
1. The time it takes to build an exact duplicate of the client’s system.
2. Incompatibility between auditor and the client software.
3. Tracing differences between two sets of outputs to differences in the programs may
be difficult.
4. The time involved in processing large quantities of data.
Controlled Reprocessing
●
This is only a variation of parallel simulation. Instead of using generalized audit software
program to processes actual client data, the auditor uses a copy of the client’s application
program.
The limitation of this method are:
1. Determining that the copy of the program is identical to the currently being used by
the client.
2. Keeping current with changes in the program.
3. The time involved in reprocessing large quantities of data.
Continuous/Concurrent Testing
Advance computer systems, particularly utilizing EDI (electronic data interchange), sometimes
do not remain permanent audit trails, thus requiring capture of audit data as transactions are
processed. Such systems may require audit procedures that are able to identify and capture data
as transaction occurs.
Embedded Audit Modules
●
Embedded audit modules are programmed routines incorporated into an application
program that are designed to perform an audit function such as calculations, or logging
activity.
●
It is used to select client data for subsequent testing and analysis.
System Control Audit Review Files (SCARF)
●
A log, usually created by an embedded audit module, used to collect information for
subsequent review and analysis.
●
The auditor determines the appropriate criteria and the SCARF selects the type of
transactions.
Audit hooks
●
An audit hook is an exit point in an application program that allows an auditor to
subsequently add an audit module (or particular instructions) by activating the book to
transfer control to an audit module.
●
Auditors sometimes use audit hooks to accomplish transaction lagging.
Transaction Tagging
●
Tagging is a technique in which an identifier providing a transaction with a special
designation is added to the transaction record.
●
A transaction is “tagged” and then traced through critical control points in the
information system.
●
The tag is often used to allow logging of transactions or snapshot of activities.
Extended Records
●
This technique attaches additional data that would not otherwise be saved to regular
historic records and thereby helps to provide a more complicated audit trail.
Review of Operating Systems and Other System Software
System software may perform controls for computer systems. Related audit techniques range from
user-written programs to the use of purchasing operating systems monitoring software.
Job Accounting Data/Operating System Logs
●
These logs, created by either the operating system itself or additional software packages
that track particular functions, include reports of the resources used by the computer
system.
●
The auditor may be able to use them to review the work processed, to determine whether
unauthorized applications were processed and to determine that authorized applications
were processed properly.
Library Management Software
●
This software logs changes in programs, program modules, job control language, and
other processing activities.
Access Control and Security Software
●
This software supplements the physical and control measures relating to the computer
and is particularly helpful in online environments or in systems with data communications
because of difficulties of physically securing computers.
Computerized Audit Tools
The following are computer assisted audit techniques are available for administering, planning,
performing, and reporting of an audit:
Generalized Audit Software (GAS)/Package Programs
The auditor may use various types of software on PCs and may include customized programs,
utility software, and generalized audit software for performing test of controls and substantive
tests.
They can be designed to perform audit tasks such as:
1. Reading computer files.
2. Selecting samples.
3. Performing calculations.
4. Creating data files.
5. Printing reports in an auditor-specified format
Electronic Spreadsheet
●
Often included in GAS, may be used for applications such as analytical procedures and
performing mathematical procedures.
●
Contain variety of predefined mathematical operations and functions that can be applied
to data entered into the cells of a spreadsheet.
Automated Working Software
●
Microcomputer based and used to generate trial balances, lead schedule and other workpapers useful for the audit.
●
The schedules and reports can be created once the auditor has manually entered or
electronically imported through the use of client’s account balance information into the
system.
Database Management System
●
May be used to perform analytical procedures, mathematical calculations, generation of
confirmation request, and to prepare customized automated work papers.
●
Manage the creation, maintenance, and processing of information.
●
The data are organized in the form of predefined records, and the database software is
used to select, update, sort, display, or print the records.
Text retrieval software/Text database software
●
Enables access to various databases, including database of standard-setting bodies.
●
The software program allows the user to browse through text files much as user would
browse through books.
Public Databases
●
May be used to obtain accounting information related to particular companies and
industries as well as other publicly available information.
Word Processing Software
●
Used in variety of communications – related manners including the consideration of
internal control, developing audit programs, and reporting.