CHAPTER 22

AUDITING IN A COMPUTER INFORMATION SYSTEMS

(CIS) ENVIRONMENT

I. Review Questions

1. Additional planning items that should be considered when computer processing

is involved are:
• The extent to which the computer is used in each significant accounting
application.
• The complexity of the computer operations used by the entity,
including the use of an outside service center.
• The organizational structure of the computer processing activities.
• The availability of data.
• The computer-assisted audit techniques to increase the efficiency of
audit procedures.
• The need for specialized skills.

2. Understanding the control environment is a part of the preliminary phase of

control risk assessment. Computer use in data processing affects this
understanding in each of the parts of the control environment as follows:

The organizational structure – should include an understanding of the

organization of the computer function. Auditors should obtain and evaluate: (a)
a description of the computer resources and (b) a description of the
organizational structure of computer operations.

Methods used to communicate responsibility and authority – should include the

methods related to computer processing. Auditors should obtain information
about the existence of: (a) accounting and other policy manuals including
computer operations and user manual and (b) formal job descriptions for
computer department personnel. Further, auditors should gain an understanding
of: (a) how the client’s computer resources are managed, (b) how priorities for
resources are determined and (c) if user departments have a clear understanding
of how they are to comply with computer related standards and procedures.

Methods used by management to supervise the system – should include

procedures management uses to supervise the computer operations. Items that
are of interest to the auditors include: (a) the existence of systems design and
22-2 Solutions Manual - Principles of Auditing and Other Assurance Services
documentation standards and the extent to which they are used, (b) the existence
and quality of procedures for systems and program modification, systems
acceptance approval and output modification, (c) the procedures limiting access
to authorized information, (d) the availability of financial and other reports and
(e) the existence of an internal audit function.

3. The “audit trail” is the source documents, journal postings and ledger account
postings maintained by a client in order to keep books. These are a “trail” of the
bookkeeping (transaction data processing) that the auditor can follow forward
with a tracing procedure or back ward with a vouching procedure.

In a manual system this “trail” is usually visible to the eye with posting
references in the journal and ledger and hard-copy documents in files. But in a
computer system, the posting references may not exist, and the “records must be
read using the computer rather than the naked eye.” Most systems still have
hard-copy papers for basic documentation, but in some advanced systems even
these might be absent.

4. The audit trail (sometimes called “management trail” as it is used more in daily
operations than by auditors) is composed of all manual and computer records
that allow one to follow the sequence of processing on (or because of) a
transaction.

The audit trail in advanced systems may not be in a human-readable form and
may exist for only a fraction of a second.

The first control implication is that concern for an audit trail needs to be
recognized at the time a system is designed. Techniques such as integrated test
facility, audit files and extended records must be specified to the systems
designer. The second control implication is that if the audit trail exists only
momentarily in the form of transaction logs or master records before destructive
update, the external auditor must review and evaluate the transaction flow at
various times throughout the processing period. Alternatively, the external
auditor can rely more extensively on the internal auditor to monitor the audit
trail.

5. Major characteristics:
1. Staff and location of the computer – operated by small staff located within
the user department and without physical security.
2. Programs – supplied by computer manufacturers or software houses.
3. Processing mode – interactive data entry by users with most of the master
file accessible for inquiry and direct update.

Control Problems:
 Auditing in a Computer Information Systems (CIS) Environment 22-3
1. Lack of segregation of duties.
2. Lack of controls on the operating system and application programs.
3. Unlimited access to data files and programs.
4. No record of usage.
5. No backup of essential files.
6. No audit trail of processing.
7. No authorization or record of program changes.

6. Auditing through the computer refers to making use of the computer itself to test
the operative effectiveness of application controls in the program actually used
to process accounting data. Thus the term refers only to the proper study and
evaluation of internal control. Auditing with the computer refers both to the
study of internal control (the same as “auditing through”) and to the use of the
computer to perform audit tasks.

7. Both are audit procedures that use the computer to test controls that are included
in a computer program. The basic difference is that the test data procedure
utilizes the client’s program with auditor-created transactions, while parallel
simulation utilizes an auditor-created program with actual client transactions. In
the test data procedure the results from the client program are compared to the
auditor’s predetermined results to determine whether the controls work as
described. In the parallel simulation procedures the results from the auditor
program are compared to the results from the client program to determine
whether the controls work as described.

8. The test data technique utilizes simulated transactions created by the auditor,
processed by actual programs but at a time completely separate from the
processing of actual, live transactions. The integrated test facility technique is
an extension of the test data technique, but the simulated transactions are
intermingled with the real transactions and run on the actual programs
processing actual data.

9. User identification numbers and passwords prevent unauthorized access to

accounting records and application programs. The transaction log does not
prevent unauthorized access but may be reviewed to detect unauthorized access.
Even then, responsibility could not be traced to a particular individual without
user identification numbers and passwords. The transaction log is more
important to establish the audit trail than to detect unauthorized access.

10. Generalized audit software is a set of preprogrammed editing, operating, and

output routines that can be called into use with a simple, limited set of
programming instructions by an auditor who has one or two weeks intensive
training.
22-4 Solutions Manual - Principles of Auditing and Other Assurance Services

11.
Phases Noncomputer auditor involvement
1. Define the audit objectively 1. Primary responsibility
2. Feasibility 2. Evaluate alternatives
3. Planning 3. Review with computer auditor
4. Application design 4. none
5. Coding 5. none
6. Testing 6. Review final test results, compare to plan
7. Processing 7. Actual computer processing – none
Use of results – depends on application
8. Evaluation 8. Full responsibility

12. Automated microcomputer work paper software generally consists of trial

balance and adjustment worksheets, working paper (lead schedule) forms, easy
facilities for adjusting journal entries, and electronic spreadsheets for various
analyses.

13. A microcomputerized electronic spreadsheet can be used instead of paper and

pencil to create the form of a bank reconciliation, with space provided for text
lists of outstanding items (using the label input capability), and math formulas
inserted for accurate arithmetic in the reconciliation. Printing such a
reconciliation is easy (and much prettier than most accountants’ handwriting!).

14. With either data base or spreadsheet software packages, macros (sets of
instructions) can be developed for retrieving data from the working trial balance
and converting this data into classified financial statements. If one or more
subsidiaries are to be included, the consolidated process can also be automated
by the inclusion of special modules designed for that purpose. The standard
audit report, as well as recurring footnotes, can be included in the data base, and
modified to fit the circumstances of the current year’s audit results.

15. Relational data base packages have all the advantages of spreadsheets, and, in
addition, have the capacity to store and handle larger quantities of data. They
are especially useful in manipulating large data bases, such as customer accounts
receivable, plant assets, and inventories.

II. Multiple Choice Questions

1. a 5. d 9. b 13. c 17. b
2. c 6. d 10. d 14. a 18. c
3. c 7. c 11. b 15. d 19. d
4. d 8. b 12. b 16. b
 Auditing in a Computer Information Systems (CIS) Environment 22-5

III. Comprehensive Cases

Case 1. a. Auditing “around” the computer generally refers to examinations of

transactions in which a representative sample of transactions is traced from
the original source documents, perhaps through existing intermediate
records in hard copy, to output reports or records, or from reports back to
source documents. Little or no attempt is made to audit the computer
program or procedures employed by the computer to process the data. This
audit approach is based on the premise that the method of processing data is
irrelevant as long as the results can be traced back to the input of data and
the input can be validated. If the sample of transactions has been handled
correctly, then the system outputs can be considered to be correct within a
satisfactory degree of confidence.

b. The CPA would decide to audit “through” the computer instead of “around”
the computer (1) when the computer applications become complex or (2)
when audit trails become partly obscured and external evidence is not
available.

Auditing “around” the computer would be inappropriate and inefficient in

the examination of transactions when the major portion of the internal
control system is embodied in the computer system and when accounting
information is intermixed with operation information in a computer
program that is too complex to permit the ready identification of data inputs
and outputs. Auditing “around” the computer will also be ineffective if the
sample of transactions selected for auditing does not cover unusual
transactions that require special treatment.

c. (1) “Test data” is usually a set of data in the form of punched cards or
magnetic tape representing a full range of simulated transactions, some
of which may be erroneous, to test the effectiveness of the programmed
controls and to ascertain how transactions would be handled (accepted
or rejected) and if accepted, the effect they would have on the
accumulated accounting data.
(2) The auditor may use test data to gain a better understanding of what the
data processing system does, and to check its conformity to desired
objectives. Test data may be used to test the accuracy of programming
by comparing computer results with results predetermined manually.
Test data may also be used to determine whether errors can occur
without observation and thus test the system’s ability to detect
noncompliance with prescribed procedures and methods.
22-6 Solutions Manual - Principles of Auditing and Other Assurance Services
Assurance is provided by the fact that if one transaction of a given type
passes a test, then all transactions containing the identical test
characteristics will – if the appropriate control features are functioning
– pass the same test. Accordingly, the volume of test transactions of a
given type is not important.

d. In addition to actually observing the processing of data by the client, the

CPA can satisfy himself that the computer program tapes presented to him
are actually being used by the client to process its accounting data by
requesting the program of a surprise basis from a computer librarian and
using it to process test data.

The CPA may also request, on a surprise basis, that the program be left in
the computer at the completion of processing data so that he can use the
program to process his test data. This procedure may reveal computer
operation intervention. If, so, ensures that a current version of the program
is being audited, an important procedure in computer installations newly
installed and undergoing many program changes. To gain further assurance
about this matter, the CPA should inquire into the client’s procedures and
controls for making program changes and erasing superseded program
tapes, and should examine log tapes where available.

Case 2. a. Document retention

IMPACT ON THE INTERNAL CONTROL SYSTEM: In on-line real time
systems and EDI systems, the audit trail is frequently modified in the form
of reduced documentation. To compensate, internal controls should provide
for adequate input editing, as well as some form of transaction log as
documentation at the input stage.
IMPACT ON THE INDEPENDENT AUDIT: In examining internal
control, under these circumstances, the auditor must rely more on
observation, inquiry, and reprocessing of transactions for control testing
purposes, and less on document testing. If documents are retained for only
a short period, the auditor should also consider the feasibility of frequent
visits for both substantive and control testing purposes.

b. Uniformity of processing
IMPACT ON THE INTERNAL CONTROL SYSTEM: The impact of this
internal control characteristic is to generally strengthen control by
increasing the consistency of processing. Once the proper controls are
installed and tested, processing consistency increases the accuracy of
transaction processing over that which exists in manual systems.
IMPACT ON THE INDEPENDENT AUDIT: The auditor must emphasize
control study and testing at the point of transaction input and processing to
Auditing in a Computer Information Systems (CIS) Environment 22-7
determine that the necessary controls exist and are functioning. Upon
determining that the necessary input and processing controls are in place
and functioning properly, the auditor may elect to perform little or no
document testing.

c. Concentration of functions
IMPACT ON THE INTERNAL CONTROL SYSTEM: In manual systems,
separation of functional responsibilities provides a double-check for the
purpose of enhancing processing accuracy. In EDP accounting systems,
consistency of processing removes the need for double-check.
IMPACT ON THE INDEPENDENT AUDIT: The auditor must determine
that the necessary input editing controls are in place and functioning to
ensure that transactions are accurately introduced into the processing
stream. Moreover, to ensure checks and balances within the electronic data
processing function, the auditor should study the organizational structure of
the EDP group to ascertain proper separation among the following
functions:
Systems analysis and design
Program design, development, and testing
Computer operations involving data processing
Distribution of EDP output and reprocessing of errors

d. Access to data bases

IMPACT ON THE INTERNAL CONTROL SYSTEM: The greater the
number of input terminals providing access to data bases, and the more
integrated the data base, the greater the danger of unauthorized access. To
protect the data bases under these circumstances, the internal control
policies and procedures should provide for effective control over
identification codes and passwords permitting access to data bases; and the
control policies should also fix responsibility in designated individuals for
specified elements of data bases.

In batch systems, access to magnetic tape and disk files and programs
should be secured by assigning responsibility over these files to one or more
individuals designated as “librarians,” and instituting a formal “checkout”
system for releasing and reacquiring files and programs.
IMPACT ON THE INDEPENDENT AUDIT: The auditor should
determine that proper control over I.D. codes and passwords exists, that
codes and passwords are changed frequently and voided upon termination
of employment, and that responsibility for elements of data bases has been
appropriately fixed.
22-8 Solutions Manual - Principles of Auditing and Other Assurance Services
In batch systems, the auditors should determine that tape and disk files and
programs stored off-line are properly secured.

Case 3. a. Test data approach: The auditor prepares simulated input data (both
valid and invalid transactions) that are processed, under the auditor’s
control, by the client’s processing system.

Advantage: A good way of testing existing controls for proper functioning.

Disadvantage: Difficulty in designing comprehensive test data; Difficulty
in ascertaining whether the programs tested are the same programs used by
the client in processing actual transactions and events during the year.

ITF approach: The auditor creates a fictitious entity within the client’s
actual data files, and processes simulated data during live processing by
client. The auditor then compares the results of processing with anticipated
results.

Advantage: Greater assurance that programs tested are programs used by

the client (the approach can be applied at different points in time during the
year).
Disadvantage: Difficult to remove test data from the system without
harming client’s files.

Tagging and tracing: This is a technique whereby an identifier or “tag” is

affixed to a transaction record; and the tag triggers “snapshots” during the
processing of transactions. Following the tagged transactions through the
system permits the auditor to evaluate the logic of the processing steps and
the adequacy of programmed controls.

Advantage: The use of actual data eliminates the need for removing data
from the client’s processing system.
Disadvantage: The auditor analyzes the transactions only after processing
is completed.

SCARF: A systems control audit review file is an audit log used to collect
information for subsequent analysis and review. An imbedded audit
module monitors selected transactions as they pass by specific processing
points. The module then captures the input data so that relevant
information, accessible only by the auditor, is displayed at key points in the
processing system.

Advantage: Utilizes real- rather than simulated-transaction data, and does

not require reversing the entries.
Auditing in a Computer Information Systems (CIS) Environment 22-9
Disadvantage: Does not necessarily capture erroneous data.

Surprise audit: The auditor, on an unannounced basis, requests copies of

client’s programs, and compares them with auditor’s copy of authorized
versions.

Advantage: Assists the auditor in determining whether client personnel are

using authorized versions of programs in processing data.
Disadvantage: Auditor may not always be notified by the client when
program changes are made, thus making the comparison irrelevant.

b. Inasmuch as each of the above alternatives have distinct advantages and

disadvantages, a combination approach overcomes the disadvantages
resulting from using a single approach. Using ITF, for example on a few
simulated transactions, while applying the tagging and tracing or SCARF
approach for numerous actual transactions, provides effective testing of
control procedures for error prevention and detection, without requiring the
reversal of a large number of simulated transactions from the client’s
system.

c. In auditing around the computer, the auditor predetermines the processing

results (output) of selected input data, and compares the predetermined
results with actual computer output. The advantage of this approach is its
ease of application; a significant disadvantage is that the auditor gains no
understanding of how the computer processes data, nor of the controls
which have been incorporated into the computer programs.

In auditing through the computer, the auditor actually tests the programmed
controls used in processing specific applications. Such techniques as design
phase auditing, ITF, tagging and tracing, SCARF, test data, and surprise
audit are examples of auditing through the computer.

d. Parallel simulation is an automated version of auditing around the computer

in that the auditor creates a set of application programs that simulate the
processing system, and compares output from the real and simulated
systems. Comparison of input with output ignores the essential
characteristics of the processing system and assumes that if the outputs are
identical, the system is processing transactions accurately.

The auditor might elect to use parallel simulation in combination with

design phase auditing. Design phase auditing ensures that the necessary
controls are installed during system design. By permitting the auditor to
test large volumes of transactions, parallel simulation helps to confirm
whether these controls are working.
22-10 Solutions Manual - Principles of Auditing and Other Assurance Services

Case 4. (a) Test decks, also called “test data,” are sets of computer input data
which reflect a variety of auditor-identified transactions for verification
through actual computer processing to detect invalid processing of results
(i.e., existing programs run test data). Ideal test data should present the
application under examination with every possible combination of
transactions, master file situations, and processing logic which could be
encountered during actual comprehensive processing. Test data are usually
processed separately from actual data using copies of master files. Test
decks are most feasible when the variety of transactions processing and
controls is relatively limited (i.e., fairly simple files).

Uses include checking and verifying: (1) input transaction validation

routines, error detection, and application system controls, (2) processing
logic, and controls associated with creation and maintenance of master files,
(3) computational routines such as interest and asset depreciation, and (4)
incorporation of program changes.

(b) Parallel simulation consists of the preparation of a separate computer

application that performs the same functions as those used by the actual
application programs. The simulation programs read the same input data as
the application programs, use the same files, and attempt to produce the
same results (e.g., real data run through test programs). These simulated
results are matched with those from the live programs, providing a means
for testing through comparison.

Uses include all those cited for test decks.

(c) The integrated test facility approach permits the introduction of auditor-
selected test data into a computer system with actual or “live” data and then
traces the flow of transactions through the various system processing
functions for comparison to predetermined actual results. An ITF involves
the creation or establishment of a “dummy” entity (e.g., a branch or
division) to receive the results of the test processing. Therefore,
transactions are processed against the test entity together with actual
transactions. Test data must be removed from the entity’s records upon
completion of the test. Uses are identical to the test deck technique.

(d) Tagging and tracing and SCARF are forms of transaction tracking provided
only for auditor selected computer inputs carrying a special code. If the
capability is provided in the application system in advance, the attachment
of a code to any input transaction can be made to generate a printed
transaction trail for that item following each step of the application
processing.
 Auditing in a Computer Information Systems (CIS) Environment 22-11

Uses include: (1) determining the impact of specific transactions on master

records or calculations in high volume systems, (2) “flagging” unusual or
abnormal transactions, and (3) “debugging” application programs.

Case 5. In an audit of a computer-based system, adequate training and experience

must be directly related to EDP. In particular, the auditor should be
knowledgeable of what computer systems do, how to test the operations of an
EDP system, and how to use EDP-unique documentation.

The training and proficiency standard contributes to satisfaction of the independence

standard by enabling the auditor to make his own decisions and judgments.
Otherwise, he might tend to subordinate his judgment to other persons, possibly
to client personnel. When the auditor lacks training and proficiency, it is
virtually impossible to maintain an operational independence over audit
decisions. An independence of mental attitude is futile if actual decisions are
subordinated to others.

The exercise of due audit care requires a critical review at every level of audit
supervision of the work done and the decisions made by auditors. Lacking the
requisite skills and lacking independent decisions, the due care expected of an
auditor at operational, supervisor, and review levels cannot be delivered.

The Philippine Standards on Auditing require adequate planning and supervision of

assistants. Training and proficiency in computer systems auditing is necessary
in order to plan access to computerized records, programs, and to obtain
machine time for conducting audit procedures. The planning should provide for
an early examination of the computer system so that further procedures
involving non-computer control and accounting features may be planned should
they depend upon computer control procedures.

Training and proficiency are very important for being able to obtain an
understanding of the internal control structure in a computer system. Client
personnel will expect audit personnel to be capable of working with a computer
system.

The Philippine Standards on Auditing also require the auditor to obtain sufficient
competent evidential matter to provide a basis for an opinion on financial
statements. Documentary evidence relating to a computer system includes
program flow charts, logic diagrams, and decision tables that are not normally
used in non-computer systems. Since these types of documentation are a part of
the evidence, they must be understood by the auditor, and understanding of them
comes through training and proficiency in their use.