Electronic Presentations in Microsoft® PowerPoint® Prepared by Brad MacDonald SIAST © 2003 McGraw-Hill Ryerson Limited Chapte r 8 Auditing in a Computer Environment Copyright © 2003 McGraw-Hill Ryerson Limited 2 Learning Objective 1 Explain how a computer accounting system differs from a manual accounting system. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 3 Computer Environment The CICA Handbook prefers the use of EDP or Electronic Data Processing. – There is no fundamental difference between computer auditing and auditing. – Certain areas are not changed: • the definition of auditing • the purposes of auditing • the generally accepted auditing standards • the control objectives Chapter 8 the requirement to gather sufficient and appropriate evidence the audit report Copyright © 2003 McGraw-Hill Ryerson Limited 4 Elements of a Computer-Based System Hardware: – The physical equipment. Software: – System programs: • Perform generalized functions for more than one program. – Application programs: • Sets of computer instructions that perform data processing tasks. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 5 Elements of a Computer-Based System Documentation: – A description of the system and control structures. Personnel: – Persons who manage, design, program, operate,or control the system. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 6 Elements of a Computer-Based System Data: – Transactions and related information entered, stored, and processed by the system. Control procedures: – Activities designed to ensure proper recording of transactions and to prevent or detect errors or irregularities. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 7 Elements of a Computer-Based System Management is responsible for internal controls; the auditor is responsible to understand controls and assess control risk. – Management can meet responsibilities and assist the auditor by • ensuring documentation is current • ensuring that systems produce an audit trail • making computer resources and personnel available to the auditor as required Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 8 Effect of Computer Processing Characteristics that distinguish computer processing from manual processing: – Transaction trails may not exist, or may exist only in machine readable formats. – Uniform processing of transactions eliminates random errors, but may cause systematic errors. – Many internal controls may be concentrated in the computer systems; persons who have access to the computer may be in a position to perform incompatible functions. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 9 Computer Processing Characteristics that distinguish computer processing from manual processing: – The potential for errors and irregularities through inappropriate access to computer data or systems may be greater. – A potential for increased management supervision with a wide variety of analytical tools is created in computerized processing. – Initiation or subsequent execution of transactions by computer may not generate evidence of authorization. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 10 Learning Objective 2 List and discuss additional matters of planning auditors should consider for clients who use computers. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 11 Planning The extent and complexity of computer processing may affect the nature, extent, and timing of procedures. The auditor should consider: – the extent to which computers are used in accounting applications • Auditors will need computer-related skills to understand the flow of transactions processed by computers. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 12 Planning The auditor should consider: – the complexity of computer operations: • Auditors will need to assess training and experience relative to the methods of computer processing. – the organizational structure of computer processing activities: • Auditors must consider the degree of centralization and standardization in computer-related operations. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 13 Planning The auditor should consider: – the availability of data from the computer system • Auditors must consider when information may no longer be available for review. – the use of computer-assisted audit techniques (CAATs) to increase the efficiency of audit procedures – the need for audit personnel with specialized skills Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 14 Learning Objective 3 Describe how the phases of control risk assessment are affected by computer processing. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 15 Phase 1 - Understanding The purpose of Phase 1 is to obtain sufficient knowledge of controls for planning the audit. – This will include a general knowledge of • the organizational structure • methods used to communicate responsibility and authority • methods used to supervise the system – Computer processing may affect each of these elements. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 16 Organizational Structure Understanding of the organization of the client computer functions is required for assessment of risk. – The auditor should obtain and evaluate • a description of computer resources and computer operating activities • a description of the organizational structure of computer operations and related policies – This understanding helps the auditor decide on the amount of reliance to place on system controls. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 17 Methods Used to Communicate Responsibility and Authority Auditors should understand how the computer resources are managed and how priorities for use are determined. – Auditors should obtain evidence and evaluate information about the existence of • accounting and other policy manuals • formal job descriptions for computer department personnel Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 18 Methods Used by Management to Supervise the System Auditors should learn the procedures management uses to monitor the computer operations. – Auditors should evaluate: a) systems design and documentation b) procedures for modification c) procedures limiting access d) financial and other reports e) internal audit function Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 19 Understanding the Accounting System Auditors should gain an understanding of the flow of transactions through the accounting system for each significant accounting application. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 20 Phase 2: Assessing Control Risk To assess the control risk when a computer is used, auditors must do the following: – Identify specific control objectives based on the types of misstatements that may be present. – Identify the points in the flow of transactions where specific types of misstatement could occur. – Identify specific control activities designed to prevent or detect misstatements. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 21 Phase 2: Assessing Control Risk To assess the control risk when a computer is used, auditors must do the following: – Identify the control activities that must function to prevent or detect misstatements. – Evaluate the control activities to determine whether they suggest a low control risk and whether tests of controls might be cost effective. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 22 Assessing Control Risk The information gathered should allow the auditor to decide the following: That: – Control risk is assessed low, and it is cost effective to perform test of controls. • Continue with testing of control. – Control risk is assessed low, but it is not cost effective to perform tests of controls. • Concentrate on substantive procedures. – Control risk is assessed high. • Concentrate on substantive procedures. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 23 Learning Objective 4 Describe and explain general control procedures and place the application control procedures covered in Chapter 6 in the context of computerized “error checking routines.” Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 24 Simple Computer Systems Characteristics of a simple computer system: – All processing occurs at a central processing facility. – Three or four people are involved in operations of a simple system. – System may use batch processing or online processing. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 25 Simple Computer Systems General control procedures: – Those controls that relate to all or many computerized accounting functions. • Organization and physical access • Weakness or absence of access controls decreases the overall integrity of the computer system. • Documentation and systems development • Weakness or absence of documentation and development standards also decrease the integrity of the system. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 26 Simple Computer Systems General control procedures: • Hardware • Auditor should be familiar with hardware controls. • Data file and program control and security • Controls are necessary to determine that the proper files and programs are being used, and that files are appropriately backed up. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 27 Application Control Procedures Application controls are those used in each “application.” Application controls are grouped under three categories: – input controls – processing controls – output controls Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 28 Application Control Procedures Input controls: – Controls at input are primarily preventative. – It is generally more cost effective to prevent errors than it is to detect and correct them. Processing controls: – Primarily oriented at detecting misstatements. Output controls: – Primarily oriented at correcting misstatements. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 29 Control Risk in Simple Systems The purpose of review of controls is to understand the strengths and weakness of control systems. – The general controls must be good in order for any application controls to be considered in planning the substantive procedures. • The usual approach is to evaluate general controls first, then application controls. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 30 Learning Objective 5 Describe the characteristics and control problems of personal computer installations. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 31 Personal Computer Environment Computer activity involving PCs should be included in determination of risk. PCs may be standalone systems or part of a distributed system. – The control environment, not the technology, is the important consideration for the auditor – In a PC environment, lack of segregation of duties may be a significant risk. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 32 Personal Computer Environment PC Control Considerations: – Most control problems can be traced to lack of segregation of duties and lack of computerized control procedures. – Auditors should consider the entire control structure and look for compensating control strengths. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 33 Personal Computer Environment Organizational control procedures: – Limit concentration of functions as much as possible. – Establish proper supervision. Operation control procedures: – Controls over online entry are important. • Restrict access to input devices. • Use standard screens, computer prompting, and online editing procedures. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 34 Personal Computer Environment Processing control procedures: – Ensure processing is correct and complete. • Capture entries in transaction logs. • Make use of control totals. • Perform periodic reconciliation of input to output. Systems development and modification: – Purchased applications should be reviewed carefully. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 35 Learning Objective 6 Explain the differences among auditing around the computer, auditing through the computer, and auditing with the computer. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 36 Evaluation Approaches Auditing around the computer: – Treat the computer as a “black box” and vouch and trace source documents and output. – Adequate procedure where the computer is simply used as a calculator and printer. Auditing through the computer: – Evaluate hardware, software, and controls. – Uses computerized controls. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 37 Learning Objective 7 Explain how the auditor can perform the test of controls audit of computerized controls in a simple computer system. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 38 Tests of Computer Controls There are two approaches to using the computer in test of controls procedures: – Test data: • Test the programmed controls using simulated data. – Parallel simulation: • Audit the programmed controls with live data reprocessed with an independent audit program. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 39 Test Data A computer will process every transaction in a certain logical way exactly the same every time. – Create hypothetical transactions to determine how the computer will handle errors. – Test data is a sample of combinations of input data that may be processed through a system. • Test data will contain planted errors in addition to good transactions. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 40 Parallel Simulation Auditors prepare a program to process data correctly and compare results to results of actual client processing. – Generalized audit software makes the process more attractive. – First audit using a parallel simulation is time consuming and expensive. • Economies are realized in subsequent audits of the same client. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 41 Learning Objective 8 Describe the use of generalized audit software. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 42 Generalized Audit Software Generalized audit software (GAS) programs are a set of functions that may be utilized to read, compute, and operate on machinereadable records. – Used on audits where records are stored in computer files or databases. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 43 Generalized Audit Software Auditing with the computer: – GAS was developed to access machinereadable detail records. • Original programming is no longer required. • The GAS consists of a set of pre-programmed editing, operating, and output subroutines. • Required programming is easy. • Simple, limited set of programming instructions is used to call the subroutines. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 44 Generalized Audit Software Audit procedures performed by generalized audit software: – GAS can access huge volumes of machinereadable records, organizing them into a useful format for the audit team. – GAS can be used for the following: • • • • Chapter 8 computation confirmation inspection analysis Copyright © 2003 McGraw-Hill Ryerson Limited 45 Using Generalized Audit Software Five phases in developing a GAS application: – Define the audit objective. • GAS is a tool, not an objective. – Feasibility and planning • Determine if GAS is efficient and effective for the audit at hand. – Application design – Coding and testing – Processing and evaluation Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 46 Learning Objective 9 Describe how the personal computer can be used as an audit tool. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 47 Using the Personal Computer as an Audit Tool The PC is being used to perform clerical steps: – – – – working trial balance posting adjustments grouping accounts computing comparative statements – computing common ratios Chapter 8 – preparing supporting working papers – producing draft statements PCs are also used to – assess control risk – perform analytical functions – access databases – run decision-making support software – perform CAATs Copyright © 2003 McGraw-Hill Ryerson Limited 48 Learning Objective 10 Describe the effects of e-business on auditing. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 49 E-Business Electric commerce (e-commerce) is any trade that takes place by electronic means. – This economic activity has been greatly facilitated by the growing use of the Internet. – Segments of e-commerce include: • B2B – Business to business • B2C – Business to consumer • C2B – Consumer to business • C2C – Consumer to consumer Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 50 E-Business The audit strategy in e-business is to first evaluate general controls and then consider application controls. – General control risks include confidentiality, integrity, authentication, repudiation, and unauthorized access. • Controls include use of encryption, hashing, digital signatures, passwords, transaction certificates, confirmation services, firewalls, and biometric devices. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 51 Application Controls Credit card payments: – Primary concern is the secure transmission credit card information. • Protocols to ensure security include: • Secure Socket Layers (SSL) • Secure Electronic Transactions (SET) • Auditors will need to compliance test the authentication, access, and confidentiality controls. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 52 Effects of E-Business on Auditors Auditors should expect to encounter electronic records rather than paper. Auditors will need to put more reliance on controls. – The quality of audit evidence will become very dependent on controls over accuracy and completeness. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 53 Internet-based and Continuous Auditing A continuous audit enables the auditor to issue written assurance simultaneously, or shortly after the occurrence of the underlying events. – Subject matter could be any type of information; for example, authenticity, integrity, or non-repudiation of e-commerce transactions. – A CICA study has identified conditions necessary for a continuous audit. Chapter 8 Copyright © 2003 McGraw-Hill Ryerson Limited 54