AUDITING IN A COMPUTERISED ENVIRONMENT iv. The need to have a computer literate audit staff.
iv. The need to have a computer literate audit staff. Most firms now days have the
AUDIT TRIAL
In developing audit procedures the auditors have to understand how the accounting
information system record, classify and summarize data. An audit trial can be described as
the series of cross references that enable the auditor to follow transactions from the start to
the end to check the operation performed at each stage of processing e.g. individual may
manually record sales order on a paper form, authorize credit, prepare invoices and record
the sales in sales journal. In such cases the auditor can follow the transaction from the start
to the end which is referred to as audit trial.
LOSS OF AUDIT TRIAL IN COMPUTERISED ENVIRONMENT
Information technology may affect the fundamental manner in which transactions are
initiated, recorded, processed and reported.
Loss of audit, trial is as a result of the following:-
1. An audit difficulty with advance I.T based system; information systems that while an
audit trial may exist it may not exist in printed form i.e. it may be available only in
machine readable form.
2. Where a complex application system performs a large number of processing steps
audit trial information may not be kept online only for a short period of time then
transferred to a low-cost storage medium (secondary storage)- tapes, diskettes etc.
3. With advent of electronic data interchange (EDI) or e-commerce where source
document are replaced with electronic transactions e.g. in an EDI system a
purchase transaction may be automatically initiated by the client I.T based system
by sending an electronic message (purchase order) directly to the supplier’s
system.
SOLUTIONS TO THE PROBLEMS
1) During the design of I.T based system, management will normally consult with both
its internal and external auditors to ensure that adequate audit trial is built into the
system and retained.
2) Audit trial may consist of computer print outs, documents stored in machine
readable form etc rather than the traditional handwritten source documents e.g. the
journals, ledgers etc.
3) Portion of the audit trial such as the date and the time of the last change in a record
and the person making the change are often stored as part of the on-line records.
4) Emphasis should be placed on coordinating the effects of external and internal
auditors to ensure adequate audit coverage.
BASIC CONSIDERATION BY AN AUDTIOR IN PLANNING FOR AUDIT IN CIS
ENVIRONMENT
i. How to obtain a sufficient understanding of what may be a very complex accounting
and internal control system.
ii. The inherent, control and detection risk and how to assess them.
iii. The design and performance of substantive and compliance tests
1
necessary expertise.
INTERNAL CONTROLS IN CIS (COMPUTER INFORMATION SYSTEM)
i. Establishing a general attitude and environment in which all the relevant personnel
in both computer and other departments are aware of the need for control.
ii. Lay down procedures for setting up all systems and applications. This must involve
full consultation on planning, writing and implementation.
iii. Full documentation and recording of all systems and applications.
iv. The procedures for normal approval and acceptance of all new and changed
applications.
v. Tight control of a system developers and programmers.
vi. Where outside contractors are used there must be adequate definition of system
objectives and full briefing of requirements, adequate testing and implementation
procedures, full documentation and adequate continuing support.
vii. Proper segregation of duties both between computer personnel and other
personnel and within computer departments.
viii. Assess controls such as physical barriers and passwords.
ix. Back-up reconstruction facilities at adequacy of fire precautions etc.
COMPLEXITY OF C.I.S
i. The large volume of transactions processed means that details are inaccessible
ii. Computers automatically generate material transactions e.g. direct debits.
iii. The computer performs complex calculations without demonstrating how it has
been done e.g. interest charged to customers for overdue debts.
iv. Transactions are exchanged electronically (EDI) with other organizations e.g.
customers and suppliers.
v. The organizational inspect of CIS restricts segregation of duties and reduces
supervision.
THE RISK AND CIS
i. Control environment - where management often feel they have no control over an
understanding of transaction and records.
ii. Lack of a transaction trial or audit trial.
iii. Lack of segregation of duties commonly in the past every transaction would
probably be reviewed and processed by several people which is not the case in
CIS.
iv. The potential for fraud and error as result of system or program faults. Once a fault
is in a system, the system processes incorrectly for ever as no human intervention
or review may be included in the controls or the fault may simply not be visible as
processing is not transparent e.g. use of wrong price for the sale of commodities or
using a wrong wage-rate while paying wages and salaries to the employees.
v. The initiation or execution of transactions may be automatic e.g. the system may be
fraudulently programmed to procedure fraudulent transactions.
 vi. Output may not be complete e.g. computer generated totals or list of goods
received and matched with purchase invoices may be incomplete but the manager
reviewing the risk will have no way of knowing this.
COMPUTER ASSISTED AUDIT TECHNIQUES (CAATS)
These consist of computer programs used by auditors to perform procedure to get a good
and reliable audit opinion. Those computer programs are written by or for the auditor and
have the capability to analyse data. They are usually written in high level languages to
enable auditors to write these programs quickly and with very few instructions. Also computer
audit programs can be used to recalculate certain items e.g. depreciation charge for the non-
current assets, interest on the bank overdraft.
CIRCUMSTANCES WHEN THE USE OF CAATS WHEN PRFORMING AUDIT
PROCEDURES WOULD BE NECESSARY
i. When the company has recently installed a new computer system
ii. when software has been changed in the past year
iii. When standard software allows the company to change the programs or add
procedures
iv. When there is a significant loss of audit trail in the computer system
v. When the auditor has identified weaknesses in the company accounting software
TEST DATA OR TEST PACKS
This is data devised by the auditor to check the operation of the company’s accounting
system. Under this method only individual programs can be tested i.e. not the entire system.
Test data comprises of both valid data and invalid data.
Valid data is used to check that the company software processes the data accurately.
Invalid data is used to check the company’s software, gives either a warning or rejects the
data.
PARALLEL SIMULATION
This is the extension of the test data. The system is designed at the output stage to handle
the audit test data without unwanted side effects. The auditor uses test data input as part of a
normal run and applies to “dummy” test held on master files.
The weakness of this test is that there is a danger of test data being subject to special
procedures which are not applied to normal transactions.
The method is left in the system to see what happens e.g. a dummy sales record eventually
create an overdue sales ledger balance. The auditor can use the method to carry out regular
testing of the system without using a special test run and indeed without being present during
processing.
The method is used largely to test application control.
EMBEDDED AUDIT FACILITIES
It consists of a module of a computer program written by the auditor which is incorporated
into the client’s computer system either temporarily or permanently.
This technique allows test to be made at the time the data is being processed. It is a real time
auditing.
It is useful where the audit trail is deficient so that historical audit work is difficult to retrieve or
where files especially the master files are constantly being updated regularly.
In real time auditing results are printed out immediately or are copied to secondary storage
and later evaluated by the auditor. The technique may achieve the following objectives.
i. Store information as it is processed for subsequent audit review.
ii. Check the integrity of files which have been processed
iii. Stop and record items which are of special audit interests as previously designed
by the auditor
TAGGING AND TRACING.
This technique involves tagging transactions with an indication e.g. a different color when
they enter into the system. The computer provides the auditor with print out of the details of
the steps in processing tagged transactions. This print out is examined for evidence of an
authorized program steps.
Tagging and tracing is possible when the appropriate logic has been built in the I.T based
system.
APPROACHES TO AUDIT WITH COMPUTERISED ACCOUNTING SYSTEM
There are two:
i. auditing around the computer
ii. auditing through the computer
AUDITING ROUND THE COMPUTER
This means examining evidence for all the items in the financial statements without getting
immersed in the detail of CIS.
The benefit of this approach is that it saves much time and cuts on costs.
The justification is that the computer is 100% accurate in processing transactions i.e. errors
do not occur. The draw back of this technique is that once an application is programmed to
process an item incorrectly then it processes exactly as it programmed i.e. GIGO (Garbage
In Garbage Out).
In this method the auditor concerns himself with the completeness, accuracy and validity of
all the input and matches against the output trying to confirm that for every input there is an
output and vice versa.
Auditing round the computer is only possible where:
i. There is a visible audit trail sufficient for audit purposes
ii. The auditor does not intend placing reliance on controls that can only be verified by
means of CAATS
iii. The auditor fully understands those controls on which reliance is being placed and
both general application of computer operations.