Chapter 20. Auditing in an EDP Environment – Auditing: Principles and Techniques

Chapter 20

Auditing in an EDP Environment

CHAPTER OUTLINE
20.1 INTRODUCTION

In recent years there has been a rapid development in the use of computers as a means of producing financial information. This development has created certain problems for the auditor in that although general auditing principles have not been affected, it is sometimes necessary to use specialised auditing procedures and techniques.

As a result of this, there has emerged from within the accounting profession a group of electronic data processing (EDP) audit specialists, equipped with sufficient technical expertise to make an intelligent analysis of complex computer audit situations.

The intention of this chapter is to outline the various factors, which need to be taken into consideration in evaluating internal control within EDP systems and to draw attention to the modifications in audit procedures, which may be required in certain circumstances.

20.2 GENERAL APPROACH TO AN EDP-BASED AUDIT

It is normal for the auditor to base his approach to an EDP-based audit upon two completely separate types of review:

20.2.1 Organisational Review

Organisational review is the review of the organisational controls within the computer installation itself. This review seeks to examine the internal control within the computer installation, to ensure the following:

  1. An acceptable standard of discipline and efficiency is maintained.
  2. An adequate division of duties exists, thus preventing any undue concentration of functions.

Serious weaknesses in internal control within the EDP department itself can throw doubt on the validity of all the data it produces.

20.2.2 System Review

System review is a detailed review of the controls operating within each computer-based accounting system. This review seeks to establish that controls operate within each individual system which, inter alia, ensure the following:

  1. All data is completely and accurately processed
  2. Permanent data is adequately protected
  3. A satisfactory ‘audit trial’ exists

Both types of review are carried out by the use of questionnaires and these questionnaires are based on the ‘key question’ principle. It is necessary to evaluate both the general and computer questionnaires together to obtain a proper understanding of the system and to access the significance of individual controls.

20.3 COMPUTER INSTALLATION REVIEW

The organisational review seeks to establish that there are no serious internal control weaknesses within the installation, which could throw doubt on the validity of the information produced.

Adopting this approach, the auditor should seek to establish that six key controls operate within the installation. These controls are as follows:

1. Controls by management over the activities of the EDP function

The degree of control which general management should exercise over the EDP department will depend both upon the nature and complexity of the business and the complexity of the computer installation.

The following minimum standards should, however, apply:

  1. The EDP manager should report directly to senior management.
  2. All significant aspects of EDP activity should be regularly reported.

It should therefore be ascertained that the person to whom the EDP Manager reports is a member of the senior management team and has sufficient authority to ensure that the department will receive adequate support and effective management.

The auditor should also enquire into the manner in which the activities of the department are reported to senior management. Ideally, a monthly control report should be prepared, which should include the following information:

  1. An analysis of computer usage, showing productive and non-productive time separately
  2. A manpower allocation report
  3. A report on projects under development
  4. An analysis of expenditure against budget

2. Controls to ensure the continuing existence of EDP facilities

Arrangements should exist within every EDP installation, which attempts either to eliminate or to minimise the possibilities of EDP facilities being completely destroyed by any reason. These arrangements are significant in that the loss of certain vital information could seriously disrupt an organisation’s general business and profitability.

The auditor should enquire into the existence of the following controls:

  1. Insurance cover   The following risks should be insured:
    • Loss of equipment
    • Loss of file devices
    • Reconstruction of files (i.e. the cost of reconstituting the data from external sources)
    • Consequential loss
    • Employee fidelity
  2. Emergency precautions   The operating area should be fitted with fire-detection equipment and also with fire-fighting equipment. The computer operators should also be fully aware of the emergency procedures to be adopted in the event of fire. Adequate security measures should also exist to ensure that authorised persons could not gain access to key areas within the department.

     

  3. Stand-by facilities   Arrangements should exist whereby data can be processed at another installation in the event of machine failure. These arrangements are particularly important where certain systems are time-critical (e.g. payrolls).

    It is unfortunately rather common for these arrangements to be made only on a casual basis, since most machine breakdowns are only of a temporary nature. The auditor should therefore enquire into the stand-by arrangements in some detail. In particular, he should direct his attention to the following points:

    • Whether the arrangements are verbal, written or contractual.
    • Whether or not the stand-by equipment is fully compatible and whether any recent changes have been made.
    • Whether significant running time would be available if prolonged use of the standby facility were necessary.
  4. Back-up copies of files, programmes and documentation   Processing arrangements should be such that a recent copy of all master files and programmes are available in the event of the current copy being either lost, corrupted or destroyed. Similarly, a copy of all system-flowcharts and programme listings should also be maintained, so that loss of the originals would not destroy all evidence of programme details.

    The nature of the back-up arrangements and the frequency to which copies should be made will vary between installations and also different systems within an installation. It is considered, however, that the following minimum standards should apply:

    1. Programmes and systems documentation: A back-up copy of each programme should be maintained and stored under secure conditions in a place remote from the computer room. This will minimise the risk of both original and copy being destroyed. Similarly, a back-up copy of system documentation should also be maintained. Arrangements should also exist to ensure that copy programmes and documentation are regularly updated with amendments.
    2. Master-files: At least one recent copy of each master file should always be stored under secure conditions off the premises. Security is further strengthened by means of processing files on a generation basis. Under this system, a copy of the file can always be re-created before the live edition of the file is updated with current transaction data.
  5. Equipment maintenance   The equipment should be subject to maintenance as recommended by the manufacturer. The auditor should enquire into the maintenance arrangements and ensure that they comply with the manufacturer’s recommendations.

3. Safeguarding of the client’s records

The division of duties within the EDP department and the general procedural arrangements should be such that the records of the client are not exposed to any undue risk of loss or corruption, either accidental or deliberate.

The auditor should therefore direct his attention to the following aspects of internal control:

  1. Division of duties within the EDP department   In common with other departments of the organisation, the extent to which duties can be divided between the staff within the EDP department depends to a very large extent upon the sise of the department.

    Ideally, the following duties should be carried out by separate individuals:

    • Data initiation (outside the EDP department)
    • Data Control (within the EDP department)
    • Data preparation (entering and verifying)
    • Job scheduling
    • Operation of the computer
    • Maintenance of programmes and the file library
    • Systems development
    • Programming of new systems

      It should be emphasised that the full division of duties as listed above will only be found in very large institutions. Small installations, for example, rarely employ a file librarian and frequently combine the activities of systems development and programming.

  2. Storage of information, files and programmes   Procedural controls should be such that files and input and output data should not be accessible to unauthorised persons. The following matters warrant particular attention:
    • Files should always be stored securely, preferably in a separate file library.
    • Access to the files should be limited to authorised personnel only.
    • Output should not be accessible to visitors to the department.
    • Systems and programme documentation should be stored securely.
  3. Processing of files   As stated earlier, files should always be processed on a generation basis, thus ensuring that a copy can always be re-created should be the current edition of the file be either lost or destroyed.

    The auditor should enquire into the number of generations of master files that are kept and should access the adequacy of the storage arrangements for each generation.

     

  4. Procedures to prevent accidental overwriting of files   Operating procedures should incorporate controls designed to prevent the accidental overwriting of files. The auditor would normally expect to find the following procedures in operation:
    1. Files should be subject to retention period checks on set-up i.e. the file label has a date imprinted on it, before which the file may not be overwritten or erased.
    2. Files should be written both internally and externally.
    3. Files should be stored in an orderly fashion to prevent accidental selection of the incorrect file.
    4. Operators should be given details of file labels before processing, so that operating problems can be resolved.
  5. Amendments to programmes   Strict control should be exercised over amendments made to existing programmes. This is not only to safeguard fraudulent manipulation or suppression of data, but also to ensure that costly amendments are not made without first establishing that they are both desirable and necessary.

The auditor should ensure the following

  1. Operators are instructed only to accept amendments, which have been authorised, by either the EDP manager or the operations manager.
  2. Amended versions of programmes are thoroughly tested before implementation.
  3. All programme amendments are recorded in the relevant programme documentation, the back-up documentation and also in a central record of all amendments.

4. Control over the data passing through the EDP department

Control over data submitted for processing is of vital concern to the auditor. The controls established within each system, such as control total checks and validation checks should be examined in detail by means of separate audit reviews of each individual system. Additionally, the auditor should examine as part of his installation review the general standard of controls, which are in operation within the EDP department, particularly within the data control section.

There are three main areas of control to which the auditor should direct his attention. These are as follows:

  1. Controls maintained by user departments   In all batch-processing installation, it should be regarded as a cardinal rule that all user departments should maintain strict input controls over the data, which they submit for processing.

    The type of control maintained will clearly vary according to the nature of the business and the individual requirements of each system. During his installation review the auditor should therefore ascertain whether or not (i) all data is batched before it is submitted for processing, (ii) user departments are required to maintain input/output controls in the form of batch total summaries, and (iii) there are indications that these user controls are effective.

     

  2. Data control function within the EDP department   A data control section invariably exists in all but the smallest of installations. Its functions are to receive data from user departments, assemble it into a state ready for processing and to monitor its progress through the various stages of processing.

    Again, the auditor will review the activities of this section in detail during each of his reviews. During his installation review, however, he should seek to establish the following.

    • A data control section does exist within the EDP department.
    • Staff within the data control section do not have other duties, which give rise to internal control weaknesses.
    • Authorisation controls exist which ensures that all authorised data is received form users and that only authorised data is accepted for processing.
    • A record is maintained of all data received and of its progress through processing
    • Control totals are balanced to output after processing.
    • The data control section exercises anticipatory control over the receipt of data from users.
  3. Storage arrangements within the EDP department   There should be secure storage arrangements, both during and outside normal working hours, for the following
    • Unprocessed data in the data control section
    • Data in the record room
    • Data in the job assembly area (if any)
    • Input documents after processing
    • Output documents after processing
    • Undistributed output.

5. Controls over the operation of the computer

The procedural controls relating to the operation of the computer should also be reviewed, the object being to ensure that there are no internal control weaknesses, which could give rise to the mis-processing of data.

The points to be considered during this aspect of the review are as follows:

  1. Number of operators present during processing   Ideally, there should always be two operators present during processing. This means that collusion would have to exist before data could be deliberately copied, manipulated or destroyed. If two or more operators are employed, the auditor should ensure that adequate cover arrangements exist in the event of holidays, sickness, extended shifts and lunch or tea breaks. In such a situation, the rotation of operators’ duties is also of significance.

    If it is not the standard practice for at least two operators to be present during processing, the auditor should seek to assess other controls which may exist and which may compensate for the absence of control over operators’ activities.

     

  2. ‘Hands-on’ testing   There should invariably be a rule, within all except the smallest of installations, that system analysts and programmers are not allowed access to the computer operating area, other than for ‘hands-on testing’. Hands-on testing is the term used to describe the situation where the programmer tests out, on the computer, programmes which he is writing and developing.

    It should also be a rule that during hands-on testing, at least one operator should be present, who operates the computer. If no operator is present, special precautions should exist which ensure that the programmer or the analyst cannot access live files and programmes.

     

  3. File library   From an internal control point of view, it is clearly preferable that files and programmes are stored in a separate file library. Where such library exists, it should be under the control of a file librarian. Operators should not have access to this library.

    Where such a library does exist, the auditor should establish that it is a requirement that all files are stored in this library when not in use. He should inspect other areas within the operations suit to confirm that this requirement is being observed.

     

  4. Review of operators’ activities   It should be an accepted principle within the installation that operators’ activities should be recorded and reviewed. The manner in which this is carried out will vary according to the nature of the installation.

     

  5. Access to the operating area   Clear access to the operating area should be subject to rigid security.

    The auditor should therefore ensure the following.

    • Unauthorised persons cannot gain access to the operating area either during or outside normal working hours.
    • Checks exist which ensure that operators do not bring unauthorised files or work into the operating area.
    • It is not possible for operators to remove files or work from the operating area without authorisation.

6. Control over the resources, assets and liabilities of the EDP department

To contribute his review of the computer installation, the auditor should conduct a review of the internal control surrounding the general activities of the EDP department. The points that should be covered within this area of review are as follows:

  1. Protection of confidential information   Controls should exist which ensure that confidential information is adequately protected. Such controls will take one or other of the following forms:
    • Attendance of users during the processing of sensitive applications
    • Security grading of printouts, with a corresponding restriction of distribution
    • If machine time is sold, special precautions relating to the protection of files, programmes and data whilst visitors are in the operating area
  2. Development of new systems and applications   Procedures within the department should ensure that computer systems are only developed in situations where there is a genuine need for them and that they are developed along practical and commercial lines.

    The controls surrounding systems development should therefore ensure the following:

    1. Feasibility studies are always carried out before new applications are authorised and undertaken. Such studies should have regard to all the relevant factors including: obtaining users co-operation proving a need for the application setting realistic time-scales for implementation etc.
    2. Systems and programmes under development are reviewed at critical stages during their development. It is clearly essential that systems, when developed, are acceptable to all concerned. Reviews should therefore be carried out as follows:
      • Users should approve the system before development begins.
      • Auditors should be involved before programming begins to ensure that acceptable control standards are incorporated into the system.
      • The system analysts should review all programmes before they are compiled.
      • The programmer should extensively test the programmes.
      • The analyst should review the results of programme testing.
      • The user department should formally authorize the system as ready for implementation
  3. Sale of machine time/data conversion facilities   If computer time and/or operating facilities are sold on anything more than an occasional basis, controls should exist to ensure that all income is duly received. The auditor should therefore enquire into the following:
    1. The system surrounding the invoicing and collection of revenue.
    2. The rates charged and the comparison of these rates against commercial bureau charges.
  4. Cost control over the activities of the EDP department   The auditor should establish that there is an adequate form of review over the activities of the EDP department. As a corollary to this enquiry, it is appropriate to enquire under this heading into the detailed mechanics of cost control. In particular, the attention should be paid to the following factors:
    • Any cost accounts prepared by the EDP department
    • The reconciliation of these cost accounts to the main financial accounts
    • The comparison of actual costs against budget
    • The means by which management review variances
20.4 COMPUTER SYSTEM REVIEW

Having completed his review of the installation and satisfied himself as to the adequacy or otherwise of the design and operation of the various procedural controls, the auditor will be in a position to review in detail the design and operation of each of the individual systems.

His approach to this task will be similar to that employed in any other system based audit, which include the following:

1. Documenting the system

The task of documenting a computer system is not dissimilar from that of documenting any other accounting system. In fact, the auditor is invariably aided in his work in that he will normally find that the system has already been well documented by the analysts who designed the system.

The amount of documentation, which will be available, will clearly vary from installation to installation. In some cases it will be necessary to supplement the documentation with the auditor’s own notes and flowcharts, whereas in other cases the notes and flowcharts provided by the client will prove sufficient.

The documentation will need to be assembled in a manner, which will facilitate an evaluation of the system on the ‘key question’ principle. Clearly, no hard and fast rules can be laid down, but it will normally be convenient to use the outline system flowchart as the principal record of the system and to supplement this flowchart with the following four main schedules:

  • Schedule of input types
  • Schedule of master files
  • Schedule of intermediary files
  • Schedule of reports printed

The outline system flowchart, together with the four main supporting schedules, should provide the auditor with the bulk of the information, which he requires for his evaluation of the system.

2. Evaluating the system

Having completed his documentation of the system, the auditor can proceed with his evaluation of the internal controls operating within the system.

He will do this by means of an internal control questionnaire. The questionnaire should seek to establish that the following seven key controls operate:

  • That it is possible to trace transactions through each stage of processing, i.e. a satisfactory audit trial exists.
  • That there are controls, which prove prima facie that transaction data, is processed correctly.
  • That there are adequate controls to protect standing data.
  • That controls exist to ensure that all authorised, and only authorised data is processed.
  • That adequate control is exercised over rejections and resubmission of corrected data for reprocessing.
  • That the system provides adequate management information and that it is broadly suited to its purpose.
  • That the system is adequately documented.

3. Designing the audit programme

Having documented the system and having evaluated the controls operating within the system, the auditor will be in a position to design his audit programme.

It should be emphasised that the principles involved are identical to those in any other system-based audit, namely that the auditor is seeking to assess and test the operation of the system, so that he can rely on the information produced by the system.

If he can satisfy himself as to the reliability of the system, this does not of course obviate the necessity for balance sheet verification work. Thus, even though the auditor is satisfied as to the operation of the computer systems, it will still be necessary to verify, for example, purchase ledger balances against circulars and statements and stock ledger balances against physical stock counts.

20.4.1 Transaction and Weakness Test

The principles to be employed in designing computer system audit tests are again similar to those employed in designing audit tests in respect of manual or mechanised systems. If the answer to a key question is positive and the auditor is satisfied that no fundamental internal control weakness exists, and then he imposes a transaction test to establish that the system is operating satisfactorily. If, however, the answer to a key question is negative, he imposes special weakness test to assess the significance of that weakness. If at the conclusion of those tests he is satisfied that no major error could occur, he reports the weakness to the management and continues with normal balance sheet verification work. If he thinks that a major error could occur, he must then impose additional verification tests or perhaps qualify the audit report.

It is not practical to specify a standard audit programme, which can be used in all cases where no major weakness has been identified. It is, however, possible to give an indication of the normal tests, which would be included in a transactions audit programme where there is no loss of audit trial.

20.4.2 Loss of Audit Trial

The tests indicated above deal with the basically simple situation where all information is processed in batch form and where it is possible to link the input directly with output.

However, losses of and changes in traditional audit trials are encountered increasingly in the more advanced computer applications. A typical example would be a large public company with a sales ledger comprising over half a lakh balances. It would be impractical to print out a full list of balances each month, so the control totals are printed, together with certain exception reports, such as overdue balances. There is, therefore, no output report against which the auditor can compare input.

A commonsense attitude should be adapted to losses of audit trial of this nature. The auditor must adapt his technique to suit the situation. A number of choices are open to him including some sophisticated techniques.

Techniques used in these circumstances include the following:

  • Arranging for special printouts of additional information for the auditor’s use. This often involves an additional suite of programmes, which are activated at the auditor’s request.
  • Clerical re-creation, i.e. to verify a sales total when no detailed listings have been produced, the copy invoices can be add-listed and the totals compared against the computer reports.
  • Testing on a total basis, ignoring individual items.
  • Use of a computer audit programme to directly interrogate the magnetic file and printout information specifically selected by the auditor.
  • Use of a test pack to test the correct processing of data.
  • Relying on alternative tests.
20.5 APPROACHES TO EDP AUDITING

Rapid changes in hardware and software have changed the conceptual approach to auditing in an EDP environment. In earlier times, audit approach consisted of ignoring the existence of computer, was treated it as a black box and audit was conducted around the computer. However, the increasing developments of computers has since led to computers being used in two different ways:

  1. As a tool to the auditor in conducting audit such as printing confirmation requests
  2. As the target of the audit where data are submitted to the computer and the results are analysed for processing reliability and accuracy of the computer system

The auditor must plan whether to use the computer to assist the audit or whether to audit without using the computer. These two approaches are commonly known as “auditing around the computer” and “auditing through the computer”.

20.5.1 Auditing Around the Computer

Auditing around the computer involves arriving at a conclusion through examining the internal control system for computer installation and the input and output only for application systems. On the basis of the quality of the input and output of the application system, the auditors take decision about the quality of the processing carried out. Under this approach, the auditor considers the computer as a black box and as a result the application system processing is not examined directly.

Usually the auditors adopt this approach of auditing around the computer, when any of the following conditions are fulfilled.

  • The system itself is very simple.
  • The system is batch-oriented.
  • The system uses generalised software, which is well tested and used widely by many concerns.

For these well-defined systems, generalised software packages often are available. For example, software vendors have already developed packages for value added tax calculation. If these software packages are provided by a recognised vendor, have received widespread use and appear error-free, the auditor may decide not to test directly the processing aspects of the system. However, the auditor must ensure that the installation has not modified the package in any way and that adequate controls exist to prevent unauthorised modification of the package.

The basic advantage of auditing around the computer is its simplicity. The auditors having little technical knowledge of computers can be trained easily to perform the audit.

However, this approach is also not free from defects. There are two major limitations to this approach. Firstly, the type of computer system where it is applicable is very restricted. It should not be used in those systems having complexity in terms of size or type of processing. Secondly, the auditor cannot assess very well the likelihood of the system degrading if the environment changes. The auditor should be concerned with the ability of the concern to adjust with a changed environment. Systems can be designed and programmes can be written in certain ways so that a change in the environment will not disturb the system to process data incorrectly or for it to degrade quickly.

20.5.2 Auditing through the Computer

The auditor can use the computer to test the logic and controls existing within the system and the records produced by the system. Depending upon the complexity of the application system being audited, the approach may be fairly simple or require extensive technical competence on the part of the auditor.

Following are the situations where auditing through computer must be adapted:

  1. The logic of the system is complex and there are large portions that facilitate use of the system or efficient processing.
  2. The application system processes large volumes of inputs and produces large volumes of output that makes extensive direct examination of the validity of input and output difficult.
  3. Because of cost-benefit considerations, there are substantial gaps in the visible audit trial.
  4. Significant parts of the internal control system are embodied in the computer system.

The main advantage of this auditing approach is that the auditor has increased power to effectively test a computer system. The range and capability of tests that can be performed increases and the auditor acquires greater confidence that data processing is correct. By examining the system’s processing the auditor can also assess the system’s ability to cope with environment change.

The main disadvantage of this approach is the high cost sometimes involved and the need for extensive technical expertise when systems are complex. However, these disadvantages are really spurious if auditing through the computer is the only viable method of carrying out the audit.

20.6 SPECIAL TECHNIQUES FOR AUDITING IN AN EDP ENVIRONMENT

As in the case of manual systems, auditing in an EDP environment is done for the following purposes:

  1. To study and evaluate the system through which the information under audit is generated, including the various internal controls in the system.
  2. To carry out appropriate substantive procedures.

Due to the special characteristics of an EDP environment, auditors often use the computer for performing several compliance procedures as well as substantive procedures. The techniques, which involve the use of the computer for audit purposes, are known as ‘Computer assisted audit techniques’ (CAATs).

What are CAATs?

Computer assisted audit techniques involve the use of computers in the process of an audit rather than limiting it to an entirely manual approach. CAATs are defined as computer based tools and techniques, which facilitate auditors to increase their personal productivity as well as that of audit function. CAATs are software tools for auditors to access, analyse and interpret data and to draw an opinion for an audit objective.

Need for CAATs

Statement on AAS-16 states that effectiveness and efficiency of audit procedures may be improved through use of CAATs. CAATs may be used in performing various auditing procedures, including the following:

  • Tests of details of transactions and balances
  • Analytical procedures
  • Tests for general controls
  • Sampling programmes to extract data for audit testing
  • Tests of application controls
  • Re-performing calculations performed by the entity’s accounting system

Guidance note on CAAT issued by the Institute of Chartered Accountants of India describes CAATs as important tools for the auditor in performing audits. During the course of audit, the auditor has to obtain sufficient, relevant and useful evidence to achieve the audit objectives effectively. Audit findings and conclusions are to be supported by appropriate analysis and interpretation of the evidence.

In auditing a computerised environment where all significant operations are computerised, it may be impractical to perform audit completely and with assurance unless the auditor uses CAATs for collection and evaluation of audit evidence by performing both compliance and substantive tests. By using CAATs, it is possible for the auditor to perform audit more effectively and efficiently and also have greater assurance on the audit process.

Considerations in the use of CAATs

When planning an audit, the auditor may consider an appropriate combination of manual and computer assisted audit techniques. In determining whether to use CAATs, the factors to be considered include the following:

  • The IT knowledge, expertise and experience of the audit team
  • The availability of CAATs and suitable computer facilities and data
  • The impracticability of manual tests
  • Effectiveness and efficiency and
  • Time constraints

Before using CAATs the auditor considers the controls incorporated in the design of the entity’s computer system to which CAAT would be applied in order to determine whether, and if so, CAAT should be used.

Types of CAATs

CAATs can be broadly categorised into the following three types:

  1. Generalised audit software (GAS)   These are also referred as Package Programmes. GAS refers to generalised computer programmes designed to perform data processing functions such as reading data, selecting and analysing information, performing calculations, creating data files and reporting in a format specified by the auditor. GAS is standard off-the-shelf audit software, which can be used across enterprises and platforms.

     

  2. Specialised audit software (SAS)   These are also referred to as Purpose-Written programmes. They perform audit tasks in specific circumstances. These are specifically written for performing audit tests for specific type of applications. These programmes may be developed by the auditor, the entity being audited or an outside programmer hired by the auditor. In some cases, the auditor may use an entity’s existing programmes in their original or modified state because it may be more efficient than developing independent programmes.

     

  3. Utility software   These are used by an entity to perform common data processing functions, such as sorting, creating and printing files. Utility software also includes utility programmes available in system programmes for performing debugging or analysis of various aspects of usage/access. These programmes are generally not designed for audit purposes but can be used for performing specific tests.

CAATs and more specifically audit software have the potential to enable auditors to recognise computer as a tool to assist them in the audit process. Audit software give auditors access to data in the medium in which it is stored, eliminating the boundaries of how it can be audited. Once the auditors accept and learn how to use audit software, they will be in a better position to create value addition in their audit. The greatest barrier in promoting use of audit software is failure to recognise opportunities to use audit software for audit. Understanding and recognising how CAATs can be used and knowing how to use audit software is most critical to its effective use.

Using audit software enhances the effectiveness of audit and enables the auditor to provide better assurance to their clients. In an increasingly computerised environment, it is critical for the auditor to move from ticks to clicks and learn to harness the power of computers for audit. Using audit software as their tool for auditing digitised data, auditor can shift focus from time consuming manual verification audit procedures to intelligent analysis of data to provide assurance to clients and manage audit risks.

POINTS TO PONDER
  • There has been a rapid development in the use of computers in recent years as a means of producing financial information. As a result, there has emerged from within the accounting profession a group of EDP audit specialists equipped with technical expertise to make an intelligent analysis of complex computer audit situations.
  • It is normal for the auditor to base his approach to an EDP based audit upon two completely separate types of review, i.e., organisational review and system review.
  • Organisational review is the review of the organisational controls within the computer installation itself. This review seeks to examine the internal control within the computer installation. On the other hand, system review is a detailed review of the controls operating within each computer based accounting system. This review seeks to establish that controls operate within each individual system.
  • Adopting computer installation review, the auditor seeks to establish that six key controls operate within the installation. These key controls include controls by management over the activities of the EDP function, controls to ensure the continuing existence of EDP facilities, safeguarding of the client’s records, controls over the data passing through the EDP department, controls over the operation of the computer and controls over the resources, assets and liabilities of the EDP department.
  • Adopting computer system review, the auditor seeks to establish that controls operate within each computer system through documenting the system, evaluating the system, and designing the audit programme.
  • The principles to be employed in designing computer system audit tests are similar to those employed in designing audit tests in respect of manual or mechanised system. Basically two types of tests are employed. These are transaction test and weakness test.
  • Rapid changes in hardware and software have changed the conceptual approach to auditing in an EDP environment. The auditor must plan whether to use computer to assist the audit or whether to audit without using the computer. These two approaches are commonly known as ‘auditing around the computer’ and ‘auditing through the computer’.
  • Auditing around the computer involves arriving at a conclusion through examining the internal control system for computer installation and the input and output only for application systems. Under this approach, the auditor considers the computer as a black box and as a result the application system processing is not examined directly.
  • Under auditing through the computer, the auditor can use the computer to test the logic and controls existing within the system and the records produced by the system. By examining the system’s processing the auditor can assess the system’s ability to cope with the environment change.
  • CAATs involve the use of computers in the process of an audit rather than limiting it to an entirely manual approach. CAATs are defined as computer-based tools and techniques, which facilitates auditors to increase their personal productivity as well that of audit functions. These are software tools for auditors to access, analyse and interpret data and to draw an opinion for an audit objective.
  • CAATs can be broadly categorised into three groups, which include Generalised audit software (GAS), Specialised audit software (SAS) and Utility software. Using audit software enhances the effectiveness of audit and enables the auditor to provide better assurance to the clients.
REVIEW QUESTIONS

Short-answer Questions

  1. What are the features of an EDP environment that affect the nature, timing or extent of audit procedures?
  2. What do you mean by the term ‘computer assisted audit techniques’? State the factors to be considered before using these techniques.
  3. Describe briefly the common types of computer assisted audit techniques?
  4. Write short notes on:
    1. Batch total
    2. Test data
    3. Check digit
  5. State the primary purpose of generalised audit software.

Essay-type Questions

  1. You have been appointed as the auditor of a company, which maintains its accounts on computers. Write in detail the audit approach that you would follow in the case of the company.
  2. Describe the similarities and differences in the approach of an auditor to conduct audit of accounts maintained manually and those maintained on computers.
  3. State the controls that can be applied over inputs and processing of data in a computerised accounting environment.
  4. Write notes on the following:
    1. Hands on testing
    2. Files library
    3. Auditing around the computer
    4. Utility software.
  5. Describe the steps to be followed in reviewing computer installation.