Rittenberg/Schwieger/Johnstone
Auditing: A Business Risk Approach
Sixth Edition
Chapter 8
Computerized Systems:
Risks, Controls, and
Opportunities
Copyright © 2008 Thomson South-Western, a part of the Thomson Corporation. Thomson, the Star logo,
and South-Western are trademarks used herein under license.
1
Overview of Computerized
Accounting Systems
Most computer systems are highly
integrated and networked
The computing environment includes
hardware, software, telecommunications,
data, and people
The auditor needs to understand this
environment including the risks involved:
(see chart on next slide)
2
Overview of Computerized
Accounting Systems
Computer Processing Area
Risks
Computer Operations
Sabotage, natural disaster, viruses,
anything that impairs operations
Computer Programs
Fraudulent programming, incorrect
data processing, processing
fraudulent data
Data Files
Unauthorized access, manipulation of
data, addition of unauthorized data
Data Communications
Data is intercepted, modified, deleted
or replaced with fraudulent data
Data ports provide access to hackers,
denial of service attacks or
unauthorized access
3
Key Computer Software
Operating systems
Communications
Application programs
Access control
4
Interconnected Systems: Virtual
Private Networks (VPNs)
Embraces all communications:
Fiber-optic to wireless
e-business (business to business)
E-Commerce (business to consumer)
Auctions (consumer to consumer)
Intranets (within business)
Personal digital assistant
Application and database processing
This type of computerized environment is evolving
as the "new economy" demands anytime,
anywhere service
5
Risks with VPNs
The open nature of a VPN creates risks that both
internal and external auditors need to assess
Unauthorized penetration into the organization's
system
Loss of messages in transmission
Interception and either destruction, modification, or
copy of information transmitted over the network
Denial of service attacks designed to overload and
shut the company's system down
Loss of processing
6
General & Application Controls
On larger, more complex audits, the client's computing systems
may present major business risks that need to be evaluated
Dividing controls as either general or application controls helps
the auditor organize his/her evaluation of the client's
computing systems
General Controls - pervasive data processing control procedures
that affect all computerized applications
 Planning and controlling data processing
 Controlling applications development
 Controlling access
 Maintaining hardware
 Controlling electronic communications
Application Controls - controls related to a particular program
7
Risk Analysis at the General
Control Level
The auditor usually starts with general controls in
evaluating control weaknesses
 Good controls built into a particular application are unlikely to
offset weaknesses that affect all aspects of processing
 Risks at the general level include:
 Unauthorized use of applications or access of data
 Company may develop the wrong programs negatively impacting
operations
 Telecommunications systems may not safeguard the system from
intruders
 The wrong data may be processed or wrong files updated
 Unauthorized personnel may steal or modify company programs or
data
 Hardware may not be secured against attacks or natural disaster
8
 Users may inadvertently cause errors in programs or data
Planning & Controlling the Data
Processing Function
Fundamental concepts an auditor should consider when in evaluating
the organization and control of the data processing:
 Authorization for all transactions should originate outside the data
processing department
 Users are responsible for authorization, review, and testing of all
application developments and changes in computer programs
 Access to data is provided only to authorized users
 Data processing department is responsible for all custodial functions
associated with data, data files, software, and related documentation
 Users, along with data processing, are responsible for the adequacy of
application controls built into the system
 Management should periodically evaluate the information systems
function for efficiency, integrity, security, and consistency with
organizational objectives
 Internal audit staff should periodically audit applications and operations
9
Planning & Controlling the Data
Processing Function
Segregation of Duties Within Data Processing
Data processing personnel should not have access to
programs or data except when authorized to make
changes, and those changes follow authorized
procedures
Users should review and test all significant computer
program changes
Program Development
Every organization should have a process to
determine that the right applications are acquired,
installed and accomplish their objectives
10
Planning & Controlling the Data
Processing Function (continued)
Program Changes
 Only authorized changes are made to computer applications
 All authorized changes are made to computer applications
 All changes are tested, reviewed, and documented before
implementation
 Only the authorized version of the computer program is run
Controlling Access to Equipment, Data, and Programs
 Access to data is limited to those with a need to know
 Ability to change, modify, delete data is restricted to
authorized persons
 Control system has ability to identify potential users as
authorized or unauthorized
 Security department actively monitors attempts to
compromise the system
11
Planning & Controlling the Data
Processing Function (continued)
Authentication
 System to verify that users are authorized to access data
 Three primary methods used to authenticate users:
 Something they know, such as a password
 Something they possess, such as a card with a magnetic strip
 Something about themselves, such as a fingerprint or other type of
physical identification
Business Continuity
 Security and backup plans for both physical assets and media
 Minimum elements in a backup and recovery
 Standardized procedures for backup and disaster recovery
 Plans for reconstruction
 Period review and testing of plans and procedures
12
Planning & Controlling the Data
Processing Function (continued)
Data Transmission Controls
 To ensure the completeness and correctness of data transmitted
 Controls that should minimize loss or alteration of data:
 Encryption
 Callback
 Echo check
 Bit reconciliation
 Feedback
 Private lines
Application Controls
 Designed into and around the computer program to ensure
processing objectives are attained
 Often referred to as input, processing, and output control
procedures
13
Planning & Controlling the Data
Processing Function (continued)
Batch Controls
Input control; used to ensure all items
submitted are actually processed
Types of batch controls typically calculated:
Record count
Financial total
Hash totals
Reconciles batch totals for items entered with
same batch totals calculated by the system
14
Planning & Controlling the Data
Processing Function (continued)
Input Controls
To ensure transactions are fully and accurately
captured, and properly recorded
Includes use of
Prenumbered documents
Unique transaction identifier established by the computer
Batch control and batch control totals
Procedures to limit access to transactions
Formation of an audit trail
Computerized input validation procedures
Self-checking digits
Use of stored data to minimize data input
On-screen input verification techniques (edit tests)
15
Planning & Controlling the Data
Processing Function (continued)
On-Line Processing Controls
Onscreen validation techniques used to verify
data input:
Stored data used to minimize data input
Screen layout logically follows order in which data
is gathered
Edit errors noted automatically so data can be
immediately corrected
Authorization for input noted and verified
Unique identifiers automatically added to the
transaction
16
Planning & Controlling the Data
Processing Function (continued)
Processing Controls
Designed to ensure
The correct program is used for processing
All transactions are processed
The correct transactions update files
Output Controls
Designed to ensure
All data is completely processed
Output is distributed only to authorized recipients
17
Overview of Computer Controls
Risk Assessment
Understanding the control structure
Testing the effectiveness of controls
Documentary evidence of controls
Monitoring controls
18
Discuss Gaining an Understanding
of the Control Structure
The process of assessing control risk in a computerized
environment:
 Identify important accounting applications and extent of
computerization within those applications
 Develop understanding of general controls to determine how
those controls may affect integrity of important applications
 Develop understanding of the flow of transactions in important
accounting applications; identify and document control procedures
 Develop preliminary assessment of control risk for the application
 If preliminary control risk assessed below high, develop approach
to determine effectiveness of controls in operation
 Update assessment of control risk based on understanding of
application design and testing of controls in operation
19
Testing the Effectiveness of
Controls
The auditor must decide on the most efficient way to test controls
Some test general controls as a whole, because these affect all
accounting applications
Others test general controls only as they affect important
applications
Documentary Evidence of Controls
Some controls provide documentary evidence of their operation
That evidence serves as a basis for developing audit procedures to
test the controls
Examples:
 Batch control totals
 Exception reports
 Computer logs of transactions
20
Monitoring Controls
Examples of monitoring controls found in
most computerized systems:
Computer logs of reports of attempted illegal
access
Reports of approved program changes
Internal audit reports of program changes
Reports of unusual activities
Internal audit reports on the effectiveness of
access controls
Reports on production discrepancies
21
Electronic Commerce
E-Commerce involves communication through the Internet;
it can be used to link trading partners
Companies involved in E-Commerce need the following
controls:
 Firewalls to intercept unwanted traffic and protect the website
and server
 Encryption of transmissions
 Monitoring reports
 Electronic transmission protocols that identify lost or missing
data
 Denial of service software to identify attacks
 Integrated systems
 Website security
 Systems security and backup
22
Electronic Data Interchange (EDI)
Exchange of business documents between economic
trading partners, computer to computer, in standard
format
The auditor should review components necessary to a
successful EDI system:
 Formal trading partner agreement specifying each party’s
responsibilities
 Bar coding
 Formal contract with the Value-Added Network
 Formal communication system that specifies standard
communication format
 Formal communication process
 Need for automated control structure
 Need to identify authorized electronic signatures
23
Electronic Data Interchange
(continued)
EDI has the potential to create two new types of risks that
ought to be evaluated as part of every audit:
 Economic interdependence
 Objective of EDI is to enlist large number of partners into a wide
communications network to support business
 With increased partners, there is increase in level of
interdependence of suppliers and customers
 The failure of one partner may adversely affect the other trading
partners
 Total systems dependence
 EDI increases reliance on computerized systems
 Should these systems fail, substantial losses will likely be realized
The auditor should determine whether the client has
controls in place to monitor these risks and take effective
action when needed
24
Electronic Data Interchange:
Application Controls
Application controls must be built into EDI to
ensure accurate accounting
Key controls in an EDI system include:
Control over authorized signatures
Access controls
Segregation of duties
Syntactic edit checks
Traditional edit checks
Formal protocol for communication acknowledgement
between partners
Logging of transactions (audit trail)
25
What is computer auditing?
Many of the concepts applicable to manual systems hold for
computerized systems
The auditor will want to:
 Gain assurance that the processes and computer programs are
working correctly
 Trace transactions through the processing system to determine
that transactions have been correctly processed
 Select transactions for more detailed testing and analysis
Computerized audit techniques commonly used include
 Integrated test facility
 Tagging and tracing (tracing transactions through the system)
 Generalized audit software
26
An Integrated Test Facility: Testing
Correctness of Processing
A test data approach that involves developing and
submitting fictitious transactions to be processed by
computer applications
Test data are developed to determine whether
 Control procedures built into the applications are functioning
effectively
 The computer application is processing transactions correctly
 All transaction and master files are fully and correctly updated
The test data approach only examines those controls built
into the computer application
It does not test whether the company has adequate
controls to prevent submission of unauthorized or
incorrect data
27
Tagging and Testing: Tracing
Transactions through the System
A transaction is selected at the input stage and is
electronically "marked"
The transaction is then electronically tracked through
processing
This allows the auditor to determine whether the
transaction has been properly recorded and that the
correct files have been updated
Advantages:
 Works concurrently with client's processing of regular
transactions
 Flexible: auditor is able to select transactions to "mark"
 Can be used to track transactions through distributed processing
networks
28
What is generalized audit
software (GAS)?
Designed to read existing computer files and perform function such as:
 Footing a file
 Selecting a sample - either statistically or judgmentally
 Extracting, sorting, and summarizing data
 Obtaining file statistics
 Evaluating statistical sample results
 Perform analytical procedures
 Finding how many transactions or population items meet specified
criteria
 Checking for gaps in processing sequences
 Checking for duplicates
 Performing arithmetic calculations
 Analyzing data for file validity
 Analyzing data files for unusual patterns
29
Generalized Audit Software
(continued)
The most widely used of all computerized audit
techniques
Allows auditors to perform a variety of procedures
including:
Analyzing files
Selecting transactions based on logical identifiers
Scanning accounts for unusual entries
Selecting statistical samples
Projecting errors based on samples
Performing basic and advanced numerical analysis
Creating reports
30
Audit Approaches for
E-Commerce
Audit of entity using E-Commerce follows basic
audit approach; auditor must understand
business processes, important applications,
control environment, and risks
Risk analysis
Risks in common with traditional information systems:
Unauthorized access
Unauthorized changes to programs or data files
Misstatements caused by processing or logic errors
Lack of physical security
31
Audit Approaches for
E-Commerce (continued)
Risks unique to E-Commerce systems
Security of system and protection against
penetration by outsiders
Integrity of processing may be threatened by
many different sources
Integrity of data communications
Trading partner agreements
Systems interdependencies
Paperless systems coupled with "soft" controls
32
Audit Approaches for ECommerce (Continued)
Process and Control Audit
Audits of E-Commerce will focus on tests of controls
and processes
Auditor develops understanding of controls and
approach to determine that controls are working
effectively
Tagging and Tracing
Tagging is more complicated than process identified
earlier in chapter
Auditor must work with IT to develop logic
Generalized Audit Software
Use of GAS may be reduced in some areas such as
confirmations
Other areas, like inventory, will continue to use GAS 33