AT 08: AUDITING IN AN IT ENVIRONMENT Auditing In an Information Technology Environment An IT environment exists when a computer of any type or size is involved in the processing by an entity of financial information of significance to the audit, whether the computer is operated by the entity or third party. IT Environment consists of the IT applications and supporting IT infrastructure, as well as the IT processes and personnel involved in those processes, that an entity uses to support business operations and achieve business strategies. With this, IT environment includes: i. An IT application is a program or set of programs that is used in the initiation, processing, recording and reporting of transactions or information. IT applications include data warehouses and report writers. ii. The IT infrastructure comprises the network, operating systems, and database in their related hardware and software. iii. The IT processes are the entity’s processes to manage to the IT environment, manage program changes or changes to the IT environment and manage IT operations. Terms Used in IT Environment Type of Computer Systems 1. Management Reporting System – designed to help with the decision making process by providing access to computer data. a) Decision support system – computer-based information systems that combine models and data to resolve non-structured problems with extensive user involvement. b) Executive information system – computerized systems that are specifically designed to support executive work. c) Expert system – computer systems that apply reasoning methods to data in a specific relatively structured area to render advice or recommendations. d) Management Information System – systems designed to provide past, present and future information for planning, organizing and controlling the operations of the organization. 2. Transaction Processing System – involves the daily processing of transactions. Types of Computers 1. Supercomputers – extremely powerful, high-speed computers for extremely high volume and/or complex processing needs. 2. Mainframe computers – large, powerful, high-speed computers. 3. Minicomputers – while large and powerful, they are not as large or powerful as mainframe computers. 4. Microcomputers – small computers, such as personal computers and laptops. 5. Personal digital assistants – mobile, handheld computers. Basic Components Hardware Hardware are physical devices or equipment used to accomplish data processing function. Hardware includes: Input – the purpose of these devices is to convert information into a machine-readable form. Examples of input devices: a) Keying data Key data to tape and key to disk in which data can be entered directly on tapes and disks respectively through a CRT, and then read into a computer. b) Online Entry 1. Visual display terminal (uses keyboard to directly enter data into computer) ▪ Input interface – a program that controls the display for the user (usually on a computer monitor) and that allows the user to interact with the system. ▪ Graphical user interface – uses icons, pictures, and menus instead of text inputs (e.g. Windows) ▪ Command line interface – uses text-type commands 2. Mouse, joystick, light pens 3. Touch-sensitive screens – allows users to enter data from a menu of items by touching the surface of the monitor. c) Turnaround documents – documents that are sent to customers and returned as inputs (e.g. Utility Bills). d) Automated source data input devices. 1. Magnetic Tape Reader – a device capable of sensing information recorded as magnetic spots on magnetic tape. This device can also be used as an output device and storage medium. 2. Magnetic ink character reader (MICR) – a device that reads character by scanning temporarily magnetized characters using magnetic ink (e.g. bank check readers). 3. Optical character recognition (scanner) – a device that reads characters directly from documents based on their shapes and positions on the source document. 4. Cathode Ray Tube (CRT) – typewriter-like device that decodes key stroke into electric impulses. 5. Automated Teller Machines (ATM) – a machine used to execute and record transactions with financial institutions. 6. Point-of-Sale (POS) recorders – a terminal connected to a computer connected. It takes the place of a cash register or similar device which allows instant recording of transactions and is capable of keeping perpetual inventory. 7. Voice recognition – a system that understands spoken words and transmits them into a computer. e) Electronic commerce and electronic data interchange – involves one company’s computer communicating with another’s computer. Central Processing Unit (CPU) is the principal hardware component and processes programs of instructions of manipulating data. It contains the: a) Control unit – interpreter of program codes that will manipulate the data. b) Storage unit – data retention. c) Arithmetic and Logic Unit (ALU) – performs arithmetic and logic functions. Secondary storage device – serves as storage support for the CPU. a) Method of access 1. Random – data can be easily accessed directly regardless of how it is physically stored (e.g. magnetic disk). 2. Sequential – data must be processed in the order in which it is physically stored (e.g. magnetic tape, cartridges) b) Storage devices 1. Magnetic tape – primary medium for backing up random-access disk files and considered to be the cheapest type of storage available. 2. Magnetic disks – include CDs (mainframe) and hard disks or drives (microcomputers). 3. Redundant array of independent disks (RAID) - way of storing the same data redundantly on multiple magnetic disks to minimize the likelihood of loss data. 4. Compact disks, floppy disks and zip disks. 5. Optical disks – use laser technology to store and read data. Output – these devices translated processed data into forms understandable by users. Examples include: a) items in letter c and d of input devices. b) Monitor c) printers d) plotters e) computer output to microfilm or microfiche (COM) Software This consists of sets of instructions (programs) that direct, control and coordinates the operation of the hardware components. 1. Systems software a) Operating system – is a group of computer programs that monitor and control all the input, output, processing and storage devices and operations of a computer (e.g. DOS, Windows, Linux, Mac, etc.). It controls the functioning of the CPU and other peripheral equipment. b) Utility (user) programs – handle common file, data manipulation and “housekeeping” tasks. It performs commonly required process such as sorting and merging. c) Communication software – controls and supports transmission between computers, computer and monitors, and accesses various databases. 2. Application software (also known as ‘apps’) – are written by programming languages such as Turbo C, Assembly, Java, Visual Basic and COBOL. These are programs designed for specific users or desired processing tasks such as payroll preparation, word processing, graphics, database systems and accounting software. 3. Database management system (DBMS) – a software package for the purpose of creating, assessing, and maintaining a database. 4. Source program – a program written in language from which statements are translated into machine language. 5. Object program – converted source program that was changed using a compiler to create a set of machine-readable instructions. 6. Compiler – produces a machine language object program from a source program language. 7. Interpreter – converts each source code instruction to object code each time it is executed. 8. Virtual memory (storage) – online secondary memory that is used as an extension of primary memory, thus giving the appearance of larger, virtually unlimited internal memory. Different Types of Electronic Data Processing Systems 1. Batch Processing – data are accumulated and processed in groups. 2. Online or Real Time (OLRT) processing – processing takes place simultaneously as the data are entered into the computer (the peripherals are on direct contact with the CPU). 3. Database Systems – enables data synchronization by maintaining one copy of important records is locked in an organized file system (database) which is shared by various users without the necessity of maintaining a copy of the file for themselves. Eliminates data redundancy. Current systems entrust responsibility of database maintenance and control over a database administrator. 4. Computer Networks Network Environment A network is a group of interconnected computers and terminals. A network environment is a communication system that enables users to share computer equipment’s, application, software, data, and voice and video transmissions. Types classified by geographical scope: 1. Local Area Network (LAN) – communication networks that allow resources, data and program sharing within a limited geographical area. 2. Wide Area Network (WAN) – computer networks that span over large geographical area. 3. National Area Network (NAN) – covering an entire country. 4. Internet – covering the globe. Network-related technologies: 1. Distributed Data Processing – sharing of information and programs by large numbers of users. This set-up calls for computer security because of a wider risk exposure to unwanted access. 2. Electronic Data Interchange – the use of telecommunication links (cable wire, radio, fiber optics, microwave, laser and other electromagnetic transmissions) to exchange business data. The significantly reduces the audit trail. 3. End User Computing – the user departments develop and execute certain computer applications (generate and use its own information). Internal Controls in an IT Environment General Controls Control policies and procedures that relate to the overall computer information system. General IT controls covers controls over the entity’s IT processes that support the continued proper operation of the IT environment, including the continued effective functioning of information processing controls and the integrity of information (i.e. the completeness, accuracy and validity of information) in the entity’s information system. Organizational Controls Organizational controls are designed to define the strategic direction and establish an organization framework over IT activities including: ● Strategic information and technology plan. ● Policies and procedures. ● Segregation of incompatible functions. ● ◦ Between the IT department and the user departments. ◦ Segregation of duties within the IT departments. Monitoring of IT activities performed by third party consultants. Responsibility within an Information System Department 1. Information system management – handled by a Chief Information Officer and supervise the operation of the department. 2. Systems analysis – responsible for designing information systems. Focus on setting the goals of the information system and means of achieving them after considering the goals of the organization and the computer processing needs of the entity. 3. Application programming – codes the system specifications determined by system analysts using programming languages (Pascal, C, FoxPro, etc.). 4. Database Administration – focus on planning and administering the database by designing it and controlling its use. 5. Data Entry – prepare and verify input data for processing. 6. Computer Operation – run and monitor central computer in accordance with standard instructions. Sometimes operators may need to access computer console to correct indicated errors in processing; this is a risk exposure that an operating system should be designed to maintain a log of computer operator intervention. Also, computer operation should be separated with application programming to mitigate the possibility of unauthorized changes in computer programs. 7. Program and File Library – protects computer programs, master files, transaction tapes and other records from loss, damage, unauthorized use or alteration. 8. Data Control – review and test all input procedures, monitor computer processing, reviews exception reports, handles reprocessing of exceptions detected by the computer and distributes all computer output; also review computer log of operator intervention and library log of program usage. 9. Telecommunications – responsible for maintaining and enhancing computer networks and network connections. 10. Systems Programming – responsible for troubleshooting the operating system or systems in use, upgrading it and working with application system programs in case of incompatibility with the operating systems. 11. Quality Assurance – ensures that new systems developed and old ones being replaced are controlled with and ensures the new system to meet user specification and documentation standards. Systems Development, Maintenance, and Documentation Controls 1. User department must participate in system design. 2. Written system specification must be required and approved by management and user department. 3. Both user and IT personnel must test new systems. 4. Management, user and IT personnel must approve new system before implementation. 5. Control of all master and transaction files to avoid unauthorized changes. 6. All program changes should be approved. 7. Adequate documentation should be made to facilitate the use of programs. Access Controls Access controls provide reasonable assurance that access to equipment, files and programs are limited only to authorized personnel. 1. Physical access control a) Limited physical access – guard, automated key cards and manual key locks. b) Visitors entry log 2. Electronic access control a) Requiring user identification (specifically on online systems) and regular changes of passwords. b) Defining user data access privilege. c) Call back – users dial up for access to the IT system, the system logs them out and then re-establish communication link when identification link when identification is established. 3. Hardware controls a) Diagnostic routines – hardware or software supplied by manufacturers to check the internal operations and devices within the computer system. b) Boundary protection – to ensure integrity of the allocated memory for a job currently under a simultaneous processing in a multi-programming environment. 4. Data transmission controls – procedures established to prevent unauthorized access or changes to information being transmitted via telecommunication facilities: a) Parity check – data are processed and transmitted by computers in arrays of bits. Redundant bit may be added to verify the integrity of the information that is processed or transmitted. b) Data encryption – data are coded into secret characters to avoid unauthorized individuals from reading the information. c) Message acknowledgment technique (ex. Echo check) – receiving device sends a message that verifies a transmission back to the sending device. d) Private lines – using phone lines owned or leased by the organization, thereby more secure. Other Access Control Activities: a) Programming the operating system to generate a computer log of failed access attempt and generates warnings for repeated across failure. b) Programmers should not have access to input data or application programs that are currently used. c) Computer operators should be restricted only to the application programs currently being used. d) Computer operators should be limited access only to operations manual (instructions for processing programs) and not detailed program documentations. Data and Procedural Controls ● Data control group receives all data for processing, ensures complete recording, and follow-up errors, determine that data are corrected and resubmitted by user departments and verify output distribution. ● Processing controls: 1. Written manual of systems and procedures for all computer operation. 2. Back-up and recovery: a) Grandfather-father-son principle on file retention – a back-up system employed in a batch processing that enabled reproduction of destroyed or lost master files from multiple (3) generations of master files. b) Snapshots – daily picture (copy) of the data files taken and retained until the weekly file is prepared, which are retained until the monthly file is prepared, which are also retained until the annual file is created. 3. Contingency processing – detailed processing plans to be tapped in case of disasters and may include a: a) Reciprocal agreement/Mutual aid pact. b) Internal site c) Hot site – back-up centers that are already installed with equipment. d) Cold site – back-up centers that are ready for equipment to be brought in. 4. File Protection Rings – enables writing to a magnetic tape only when the ring is on the magnetic tape. This controls operator error by writing data on tapes containing critical information. 5. Internal and External Labels – provides identification of files to avoid destruction. Monitoring Controls Monitoring controls design to ensure that IT controls are working effectively. These may include: ● Monitoring of key IT performance indicators ● Internal/External IT audits. IT Application Controls Control policies and procedures that relate to specific use of a system in order to provide reasonable assurance that all transactions are authorized, recorded, and are processed completely, accurately and on a timely basis. In an IT environment, application controls are controls relating to the processing of information in IT applications that directly address risks to the integrity of information (i.e., the completeness, accuracy and validity of transactions and other information). This may include: Controls Over Input Controls over input is designed to provide reasonable assurance that: ● Transactions are properly authorized before being processed by the computer. ● Transactions are accurately converted into machine readable form and recorded in the computer in the computer data files. ● Transactions are not lost, added, duplicated, or improperly changed. ● Incorrect transactions are rejected, corrected and, if necessary, resubmitted on a timely basis. ● Common examples of controls over input are key verification, field check, validity check, self-checking digit, limit check, control totals (financial, hash and record count). a) Limit test – test of reasonableness of a field of data using predetermined upper and lower limit. b) Validity test – a comparison of data against a master file or table for accuracy. c) Self-checking digit – contains redundant information permitting accuracy check. d) Completeness check – processing will not continue unless all data required are supplied (also missing data check). e) Control total – the total of one field of information for all items in a batch. ▪ Item (Record) count – a count of the number of items or transactions being input in a given batch. ▪ Financial total – the total of the amount for all items in a batch. ▪ Hash total – a total of one field of information for all items in a batch that has no intrinsic meaning. f) Menu driven input – contains of set of menus or Q&As that guides the user completion of all the required data. g) Field check – ensures that the proper character is supplied in a given field (i.e. Character only, numeric only or alphanumeric only). h) Field size check – ensures that the data supplied is within a number of digits or strings i) of characters required for the field. Logic tests – rejects data encoded which are illogical or inconsistent. Controls Over Processing Controls over processing is designed to provide reasonable assurance that: ● Transactions are processed accurately. ● Transactions are not lost, added, excluded, duplicated or improperly changed. ● Processing errors are identified and corrected on a timely basis. Auditing in an IT Environment The overall objective and scope of an audit, including auditor’s responsibilities, does not change in an IT environment. The overall objective and scope of an audit does not differ whether the entity operates in a mainly manual environment, a completely automated environment, or an environment involving some combination of manual and automated elements (i.e. manual and automated controls and other resources used inn the entity’s system of internal control). An IT environment may affect: 1. Auditor’s consideration of internal control which will include an assessment of computerized as well as manual controls. 2. Auditor’s assessment of control risk. 3. Procedures to be performed in considering internal control and performing substantive tests. Risk Assessment Procedures 1. The auditor should obtain an understanding of the significance and complexity of the IT environment to be able to design further audit procedures. Furthermore, the following are the significance why the auditor should understand the IT environment relevant to the IT environment relevant to the information system: ◦ The auditor’’s understanding of the information system includes the IT environment relevant to the flows of transactions and processing of information in the entity’s information system because the entity’s use of IT applications or other aspects in the IT environment may give rise to risks arising from the use of IT. ◦ The understanding of the entity’s business model and how it integrates the use of IT may also provide useful context to the nature and extent of IT expected in the information system. Understanding the entity’s use of IT. ◦ The auditor’s understanding of the IT environment may focus on identifying, and understanding the nature and number of, the specific IT applications and other aspects of the IT environment that are relevant to the flows to transactions and processing of information in the information system. Changes in the flow of transactions, or information within the information system may result from program changes to IT applications, or direct changes to data in databases involved in processing, or storing those transactions or information. ◦ The auditor may identify the IT applications and supporting IT infrastructure concurrently with the auditor’s understanding of how information relating to significant classes of transactions, account balances and disclosures flow into, through and out the entity’s information system. 2. When obtaining an understanding of the significance and complexity of the IT environment, the auditor may use automated tools and techniques. Examples of procedures that may be performed include: ◦ Perform risk assessment procedures on large volumes of data (from the general ledger, sub-ledgers or other operational data) including for analysis, recalculations, reperformance or reconciliations. ◦ Perform analytical procedures (commonly called data analytics). ◦ Observe or inspect, in particular assets, for example through the use of remote observation tools (e.g. a drone). ◦ Understand flows of transactions and processing as part of the auditor’s procedures to understand the information system. An outcome of these procedures may be that the auditor obtains information about the entity’s organizational structure or those with whom the entity conducts business (e.g. vendors, customers, related parties). ◦ Obtain direct access to, or a digital download from, the database in the entity’s information system that store accounting records of transactions. With this, the auditor may confirm the understanding obtain about how the transactions flow through the information system by tracing journal entries, or other digital records related to a particular transaction, or an entire population of transactions, from initiation in the accounting records through to recording in the general ledger. ◦ When automated procedures are used to maintain the general ledger and prepare financial statements, such entries may exist only in electronic form and may therefore be more easily identified through the use of automated techniques. 3. Understanding the risks arising from the use of IT and the general IT controls implemented by the entity to address those risks may affect: ◦ The auditor’s decision about whether to test the operating effectiveness of controls to address risks of material misstatement at the assertion level. ◦ The auditor’s assessment of control risk at the assertion level. ◦ The auditor’s strategy for testing information produced by the entity that is produced by or involves information from the entity’s IT applications. ◦ The auditor’s assessment of inherent risk at the assertion level. ◦ The design of further audit procedures. For the IT applications relevant to the information system, understanding the nature and complexity of the specific IT process and general IT controls that the entity has in place may assist the auditor in determining which IT applications the entity is relying upon to accurately process and maintain the integrity of information in the entity’s information system. Such IT applications may be subject to risks arising from the use of IT. 4. The auditor shall also consider risk arising from the use of IT. Such risks may arise from: ◦ Susceptibility of information processing controls to ineffective design or operation, or risks to the integrity of information (i.e. the completeness, accuracy and validity of transactions and other information) in the entity’s information system, due to ineffective design or operation of controls in the entity’s IT processes. ◦ Risks to the integrity of information arise from susceptibility to ineffective implementation of the entity’s information policies, which are policies that define the information flows, records and reporting processes in the entity’s information system. Information processing controls may be automated (i.e. embedded in IT applications) or manual (e.g. input or output controls) and may rely on the controls, including other information processing controls or general IT controls. Identifying risks arising from the use of IT and general IT control In identifying the risks arising from the use of IT, the auditor may consider the nature of the identified IT application or other aspect of the IT environment and the reasons for it being subjected to risks arising from the use of IT. Major considerations include: ◦ the auditor may identify applicable risks arising from the use of IT that relate primarily to unauthorized access or unauthorized program changes, as well as that address risks related to inappropriate data changes (e.g. the risk of inappropriate changes to the data through direct database access or the ability to directly manipulate information). ◦ Extent and nature of the applicable risks arising from the use of IT. The extent and nature of the applicable risks arising from the use of IT vary depending on the nature and characteristics of the identified IT applications and other aspects of the IT environment, applicable IT risks may result when the entity uses external or internal service providers for identified aspects of IT environment (e.g. outsourcing the hosting of its IT environment to a third party or using a shared service center for central management of IT processes in a group). Applicable risks arising from the use of IT may also be identified related to cyber security. Also, it is more likely that there will be more risks arising from the use of IT when the volume or complexity of automated application controls is higher and management is placing greater reliance on those controls for effective processing of transactions or the effective maintenance of the integrity of underlying information. Specific examples of risk arising from the use of IT. Examples of risks arising from the use of IT include risks related to inappropriate reliance on IT applications that are inaccurately processing data, processing inaccurate data, or both, such as: ◦ Unauthorized access to data that may result in destruction of data or improper changes to data, including the recording of unauthorized or non-existent transactions, or inaccurate recording of transactions. Particular risks may arise where multiple users access a common database. ◦ The possibility of IT personnel gaining access privileges beyond those necessary to perform their assigned duties thereby breaking down segregation of duties. ◦ Unauthorized changes to data in master files. ◦ Unauthorized changes to IT applications or other aspects of the IT environment. ◦ Failure to make necessary changes to IT applications or other aspects of the IT environment. ◦ Inappropriate manual intervention. ◦ Potential loss of data or inability to access data as required. 5. The auditor should have sufficient knowledge of the IT to plan, direct, supervise and review the work performed. Also, the auditor should determine if assistance from the expert is needed. When an entity has greater complexity in its IT environment, identifying the IT applications and other aspects of the IT environment, determining the related risks arising from the use of IT, and identifying general IT controls is likely to require the involvement of team members with specialized skills in IT. Such involvement is likely to be essential, and may need to be extensive, for complex IT environments. IT Characteristics and Considerations Organizational Structure 1. Concentration of functions and knowledge. Because of the ability of the computer to process data, several functions are combined and the number of persons involved in the processing of financial information is significantly reduced. 2. Concentration of programs an data. Transaction and master file data are often concentrated, usually in machine-readable form, making it more vulnerable to unauthorized alteration. Nature of Processing 1. Lack of visible transaction trails (input, output and audit trail). In an IT environment, data may be entered directly into the computer system without supporting documents. Also, records and files may not be printed and cannot be read without using the computer. 2. Ease of access to data and computer programs. Data and computer programs may be accessed by unauthorized persons, either at the computer or through the use of computer equipment at remote locations, leaving no visible evidence. Design and Procedural Aspects 1. Consistency of performance. IT performs functions exactly as programmed. An incorrect program may result to consistently erroneous processing that could have an adverse effect to the entity. 2. System generated transaction. Some transaction may be initiated by the IT itself without the need for an input document. 3. Programmed control procedures. The nature of computer processing allows the design of internal control procedures in computer programs. 4. Single transaction update of multiple or data base computer files. Test of Controls The effectiveness of application controls is greatly affected by the effectiveness of general controls. Accordingly, it may be more efficient to review the design of the general controls before reviewing the application controls. Application controls which the auditor may wish to test include manual controls exercised by the user, controls over system output, and programmed control procedure. Audit Approaches – Test of Controls The auditor’s test of controls vary depending on whether the audit evidence generated by the computer is: 1. External to the computer, and therefore directly observable. ◦ Procedures involved are usually inquiries, observation and inspection of documents. ◦ Auditing around the computer technique is applied. 2. Internal to the computer technique is applied. ◦ Require the auditor to use the computer to obtain reasonable degree of assurance that controls are operating as planned. To test these controls, the auditor may do the following: 1. Black box approach (Auditing around the computer). ◦ It involves procedures generally performed in testing manual control structure. ◦ Focuses solely on the input documents and the IT output. ◦ The auditor ignores the client’s data processing procedures. 2. White box approach a) Auditing with the computer. ▪ The auditor uses the computer as an audit tool. b) Auditing through the computer. ▪ The auditor enters the client’s system and examines directly the computer and its system and application software using CAATs. Computer -Assisted Auditing Techniques (CAATs) For Test of Controls 1. The following are the factors considering in using CAATs: a) Degree of technical competence in IT. b) Availability of CAATs and appropriate computer facilities. c) Impracticability of manual tests. d) Effectiveness and efficiency. e) Timing of tests 2. Test of controls using CAATs may be divided into the following categories of techniques: a) Program analysis b) Program testing c) Continuous testing d) Review of operating systems Program Analysis These techniques allow the auditor to gain an understanding of the client’s program. a) Code review – this technique involves actual analysis of the logic of the program’s processing routines. b) Comparison programs – these programs allow the auditor to compare computerized files. c) Flowcharting software – this is used to produce a flowchart of a program’s logic and may be used both in mainframe and microcomputer environments. d) Program tracing and mapping – program tracing is a technique in which each instruction executed is listed along with control information affecting that instruction. On the other hand, program mapping identifies sections of code that can be “entered” and thus are executable. These techniques allow the auditor to recognize logic sequence or dormant section of code that may be a potential source of abuse. e) Snapshot – this technique in essence “takes a picture” of the status of program execution, intermediate results, or transactions data at specified processing points in the program processing. This technique helps the auditor to analyze the processing logic of specific programs. Program Testing Program testing involves the use of auditor-controlled actual or simulated data. The approach provides a direct evidence about the operation of programs and programmed controls. Test Data ● A set of dummy transactions is developed by the auditor and processed by the client’s computer programs to determine whether the controls which the auditor intends to test are operating effectively. ● Test data shifts control over the processing to the auditor by utilizing the client’s software to process both valid and invalid transactions. ● If embedded controls are functioning effectively, the client’s software should detect all the exceptions planted in the auditor’s test data. Integrated Test Facility (ITF) or Integrated Test Data or Mini Company Approach ● This method introduces dummy transactions into a system in the midst of live transactions and is usually built into the system during the original design. ● Integrates fictitious and actual data without management’s knowledge, allowing the auditor to compare the client’s output with the results expected by the auditor. ● One way to accomplish this is to incorporate a simulated or subsidiary into the accounting system with the sole purpose of running test data through it. Base Case System Evaluation (BSCE) ● A special type of test data. ● Can provide an auditor with more assurance than test data alone. ● Develops test data that purports to test every possible condition that an auditor expects a client’s software will confront. ● Time-consuming and expensive to develop and therefore cost-effective only in large computer systems for which the auditor can rely on internal auditors to develop the base case. NOTE: When using these techniques, each control need only be tested once because several problems may be encountered during testing. These problems include, but not limited to, the following: 1. Making certain the test data is not included in the client’s accounting records. 2. Determining that the program tested is actually used by the client to process data. 3. Adequately developing test data for every possible control. 4. Developing adequate data to test key controls may be extremely time-consuming. Parallel Simulation ● Shifts control over the computer software. ● This technique processes actual client data through an auditor’s generalized audit software program and frequently, although not necessarily, the auditor’s computer. ● After processing the data, the auditor compares the output obtained with the output obtained from the client. ● If the client’s software is operating effectively, the client’s software should generate the same exceptions as the auditor’s software. The limitations of this method are: 1. The time it takes to build an exact duplicate of the client’s system. 2. Incompatibility between auditor and the client software. 3. Tracing differences between two sets of outputs to differences in the programs may be difficult. 4. The time involved in processing large quantities of data. Controlled Reprocessing ● This is only a variation of parallel simulation. Instead of using generalized audit software program to processes actual client data, the auditor uses a copy of the client’s application program. The limitation of this method are: 1. Determining that the copy of the program is identical to the currently being used by the client. 2. Keeping current with changes in the program. 3. The time involved in reprocessing large quantities of data. Continuous/Concurrent Testing Advance computer systems, particularly utilizing EDI (electronic data interchange), sometimes do not remain permanent audit trails, thus requiring capture of audit data as transactions are processed. Such systems may require audit procedures that are able to identify and capture data as transaction occurs. Embedded Audit Modules ● Embedded audit modules are programmed routines incorporated into an application program that are designed to perform an audit function such as calculations, or logging activity. ● It is used to select client data for subsequent testing and analysis. System Control Audit Review Files (SCARF) ● A log, usually created by an embedded audit module, used to collect information for subsequent review and analysis. ● The auditor determines the appropriate criteria and the SCARF selects the type of transactions. Audit hooks ● An audit hook is an exit point in an application program that allows an auditor to subsequently add an audit module (or particular instructions) by activating the book to transfer control to an audit module. ● Auditors sometimes use audit hooks to accomplish transaction lagging. Transaction Tagging ● Tagging is a technique in which an identifier providing a transaction with a special designation is added to the transaction record. ● A transaction is “tagged” and then traced through critical control points in the information system. ● The tag is often used to allow logging of transactions or snapshot of activities. Extended Records ● This technique attaches additional data that would not otherwise be saved to regular historic records and thereby helps to provide a more complicated audit trail. Review of Operating Systems and Other System Software System software may perform controls for computer systems. Related audit techniques range from user-written programs to the use of purchasing operating systems monitoring software. Job Accounting Data/Operating System Logs ● These logs, created by either the operating system itself or additional software packages that track particular functions, include reports of the resources used by the computer system. ● The auditor may be able to use them to review the work processed, to determine whether unauthorized applications were processed and to determine that authorized applications were processed properly. Library Management Software ● This software logs changes in programs, program modules, job control language, and other processing activities. Access Control and Security Software ● This software supplements the physical and control measures relating to the computer and is particularly helpful in online environments or in systems with data communications because of difficulties of physically securing computers. Computerized Audit Tools The following are computer assisted audit techniques are available for administering, planning, performing, and reporting of an audit: Generalized Audit Software (GAS)/Package Programs The auditor may use various types of software on PCs and may include customized programs, utility software, and generalized audit software for performing test of controls and substantive tests. They can be designed to perform audit tasks such as: 1. Reading computer files. 2. Selecting samples. 3. Performing calculations. 4. Creating data files. 5. Printing reports in an auditor-specified format Electronic Spreadsheet ● Often included in GAS, may be used for applications such as analytical procedures and performing mathematical procedures. ● Contain variety of predefined mathematical operations and functions that can be applied to data entered into the cells of a spreadsheet. Automated Working Software ● Microcomputer based and used to generate trial balances, lead schedule and other workpapers useful for the audit. ● The schedules and reports can be created once the auditor has manually entered or electronically imported through the use of client’s account balance information into the system. Database Management System ● May be used to perform analytical procedures, mathematical calculations, generation of confirmation request, and to prepare customized automated work papers. ● Manage the creation, maintenance, and processing of information. ● The data are organized in the form of predefined records, and the database software is used to select, update, sort, display, or print the records. Text retrieval software/Text database software ● Enables access to various databases, including database of standard-setting bodies. ● The software program allows the user to browse through text files much as user would browse through books. Public Databases ● May be used to obtain accounting information related to particular companies and industries as well as other publicly available information. Word Processing Software ● Used in variety of communications – related manners including the consideration of internal control, developing audit programs, and reporting.