McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.

Auditing in a Computerized
Environment
"To err is human, but to really foul things up you need a computer.“
Paul Ehrlich, Technology commentator
Mod H-2

• Issues introduced in a computerized environment
1. Input errors
2. Systematic vs. random processing errors
3. Lack of an audit trail
4. Inappropriate access to computer files and programs
5. Reduced human involvement in processing transactions
• Consider controls over computerized processing in understanding, assessment, and testing phases of evaluation of internal control
Mod H-3

General Controls
– Relate to all applications of a computerized processing system ( pervasive )
– Deficiencies will affect processing of various types of transactions
Automated Application Controls
– Relate to specific business activities
– Directly address management assertions
Mod H-4

1. Hardware controls
– Data not altered or modified as transmitted through system
2. Program development controls
– Program acquisition and development properly authorized
– Programs tested and validated before being placed in use
Mod H-5

3. Program change controls
– Program changes are properly authorized and conducted consistent with entity policies
– Programs have appropriate documentation
4. Computer operations controls
– Relate to processing of transactions and backup and recovery of data
– Includes separation of duties of analysts, programmers, and operators
Mod H-6

5. Access to programs and data controls
– Relate to restricting use of programs and data to authorized users
– Examples include passwords, automatic terminal logoff, and reviewing access rights and comparing to usage
Mod H-7

1. Input controls
2. Processing controls
3. Output controls
Mod H-8

– All transactions input
– Transactions input once and only once
– Transactions input accurately
– Data entry and formatting
– Check digits
– Record counts
– Batch totals
– Hash totals
Mod H-9

• Provide reasonable assurance that
– Transactions are processed accurately
– All transactions are processed
– Transactions are processed once and only once
• Examples
– Test processing accuracy of programs
– File and operator controls
– Run-to-run totals
– Control total reports
– Limit and reasonableness tests
– Error correction and resubmission
Mod H-10

• Provide reasonable assurance that
– Output reflects accurate processing
– Only authorized persons receive output or have access to files generated from processing
• Examples
– Review of output for reasonableness
– Control total reports
– Master file changes
– Output distribution limited to appropriate person(s)
Mod H-11

• Auditing “around” the computer
– Reconcile input with output produced by computer processing
– Do not evaluate directly evaluate operating effectiveness of computer controls
– Appropriate when computer is not used extensively and computer controls are limited
• Auditing “through” the computer
– Evaluate operating effectiveness of computer controls and logic of computer processing
– Appropriate when computer is used extensively and client has implemented significant computer controls
Mod H-12

• Testing controls
– Inquiry
– Observation
– Inspect documentary evidence
– Reperformance
• Evaluating computer processing and programs
– Test processing of actual transactions
– Test processing of simulated transactions
Mod H-13

• Audit teams evaluate controls by “observing” processing of actual transactions through computerized system in a typical processing run
• Program-embedded techniques
– Special modules coded into computer programs
– Examples include tagging, embedded audit modules, snapshot, monitoring systems activity, extended records, and program analysis techniques
• Parallel simulation
Mod H-14

Auditors’
Manual
Processing
Compare
Client
System
Processing
• Test data : Tested in a separate processing run by client
• Integrated test facility : Simulated data processed along with actual data
Mod H-15

• Audit team tests operating effectiveness of automated application controls to establish baseline
• Can continue to rely on automated application controls if:
– Test general controls related to program changes, access to programs and data, and computer operations
– General controls continue to operate effectively
– Automated application controls have not changed since the baseline
Mod H-16