Auditing & Assurance: Introduction to IT Audit (Part One) Mwamba. Ally.

Jingu: FCPA: PhD

Auditing in the IT Environment

In principal, there are no fundamentaldifferences betwecn auditing in an IT environment and

auditing in an environmentwhere computers are not used. The use of computers does not in any

way affcct auditing because:

1. The definition and the nature of auditing is still the same.

2. The purpose of auditing is still the same. The objective of auditing is still to express an
opinion on whether the financial statements show a true and fair view.

3. The auditor isstill required to comply with auditing standards (See;International Standards on
Auditing ((SA) 315 for example)

4.The auditor is still required to collect sufficient appropriate evidence

Characteristics of the IT system

The way the data is processed.The processing of data in the IT system is not the same as in

manual system. For example, IT system the input documents do not contain all the details,
in the

such as, the signatures for the authorization of purchases or salary payments. Another

characteristic of the IT system is a lack of visible transaction trail.

The IT system records data as
consistent and permanent
provided for in the programs. Thus an error in the program will cause
Moreover, the computer can be
errors in the records unless the program
is corrected.

Thus it is important to have strict

programmed to generate certain transactions automatically.
accesscontrols.

has a number of names including;: nformation

Auditing in a computerized environment
Information Systems (IS) audit; Automated Data
Technology (IT) audit; Computer Audit;
Electronic Data Processing (EDP) audit
Processing (ADP)Audit; It was formerlycalled

Systems Based Audit

affect the choice of an audit approach
the auditor is working in an IT environment,it will
When
is implemented.
and the way the selected audit approach
If the
is most likely that the auditor will adopta systemsbased approach.
In an IT environment it are
the basic steps to be followed
in an IT environment
auditor adopts a systems based approach are
in an IT environment system
the manual system:Controls
identical to those used in assessing

classified into three main categories:

inventory, payroll
of individual applications (e.g.,
()Application.These are applied at the level exercised over the manual processes involved in
controls
etc.). The controls
include both manual
controls performed by the
computer itself
the system and programmed
1
 Auditing & Assurance: Introduction to ITAudit (Part One) Mwamba. Ally. Jingu: FCPA: PhD

(ii) General Controls. These are applied at the level of the computercentre. They ensure that

the computercentre is able to process the work received in spite ofrisks from natural disasters!
(fire, flood, ctc.) or from malicious or accidental human action.

(ii) Systems Development Controls. These are applied during the developmentof systems.
They ensure that developmentresource are used efficiently,and effectively and that delivered
systems meet real business needs

APPLICATION CONTROLS

Application controls are classified into three categories: (i) Input Controls; (ii) Processing
Controls and Output Controls: See figure 1.1. Input controls means first, that the transactions
sent to the IT department for processing are (a) authorized, (b) accurate, (c) compete,(d) timely
and (e) presented only once. Second,any errors detected at the input level must be corrected and
resubmitted for processing. Processing controls ensures that the system provides for accurate and
timely processing of the input data. Finally, the input controls ensure the outputs are
valid.

Application controls

Input Controls Processing Controls Output Controls

Figure 1.1

Introduction

In conducting a review of a computerized system, the auditor must know that, methods of
processing data will vary. Whichever method of processing is used the auditor has a clear
understanding of the basic controls and safeguards which should apply in all circumstances

Audit Objectives:

The overall objective of an audit review of a computer system is to review system proposals to
ascertain whetherthey incorporate adequate internal controls and ensure that these controls form
part of the operational system when implemented and that any system amendments do not
invalidate them.This overall objective may be broken into four sub-objectives: (i)input control;
()processing controls; (ii) Outputcontrols

().INPUT CONTROLS
Audit objectives of inputcontrols

Input controls are designed to ascertain whether

the system does, as far as is reasonably possible,
ensure that the transactions
entered into the computersystem
are:
2
 IT Audit (Part One) Mwamba. Ally. Jingu: FCPA: PhD
Auditing & Assurance: Introduction to

(1) genuine (authorized),

(i) complete,
not previouslyprocessed,

(iv) accurateand

(v) timely.

are crucial because most errors in IT systems come from data entry errors.
Input controls

of data processing, inputerrOrs result in output errors.

Notwithstandingthequality of the quality

1.Input is genuine.

into the computer system is genuine.

thedata entered
Input controls are designed to ensure that

been input into the computer system should

To be genuine or authentic, the data that have the risk
official. Authorizationof
input data limits
be properly authorized by an appropriate
ofinappropriateinput of key financial data
data that is input into the computer system is
Key Questions: Are there controls to ensure that all

genuine (authentic)?

2.Input is Complete

that the data that has been

input into the computer
Input controls are designed to ensure
has been entered in the
is complete. Completeness
of input data means that all the data
system
computer system forprocessing.
genuine inputis submitted forprocessing?
Key Question: Are there controlsto ensure that all

3.Accuracy of input data.

input into the computer
Input controls are designed toensure that the data that have been
system accurately).
the data have been entered into the computer
system isaccurate (i.e.,
computer system is accurate?
that all input into the
to ensure
Key Question: Are there controls
be entered into the computer system only once
4. Data should computer system not more
than
the
that data are input into
Input controls are designed to ensure
once. processing?
to prevent the possibility
of duplicate
controls
Key question:Are there

5.Input is timely
system timely
The data should be entered into the computer

3
Auditing & Assurance: Introduction to IT Audit (Part Onc) Mwamba. Ally. Jingu: FCPA: PhD

Table summarizes the objectives of input

l
controls and gives some examples.

Table 1: A Summary of theObjectivesof Input Controls and Few Examples

Input Control Objective Example

1 All input is authorized Passwords give implicitly authority. All input is
on an authorized form
2 The inputis complete All data fields contain an entry. Inputforms are
sequentially numbered inputforms
3 Input is not duplicated Input references must be unique. Stamp input
documents after input

4 Inputis accurate Validation routines, optical character reading,

manuallycheck input log with sourcesdocuments

5 Inputis timely Generalcontrols such as, timetables

(II). PROCESSINGCONTROLS
Processing controls prevent and detect irregularities as transaction data are processed. Specific

application processing areoften programmed into soft ware to prevent, detect and
controls
correct processing irregularities.They ensures that each transaction is appropriate for processing

Audit Objectives of processing controls

The main objective is to ensure that:

i)correct data and correct program files are used, that

(t)all data is processed in a secure manner,

(ii) all data is accountedforand written to appropriate file and that

(iv) data conforms to predetermined standards or falls within specified parameter values, for

example,determinewhether data exceedspre-specified amounts (e.g. maximum salary or hours)

Key Questions -processing Controls

- Are there controls to ensure that all data is processed

- Are there controls to ensure that all processing is accurate?

-Are there controls to ensure that all processing is authorized?

- Are there controls to ensure that correct data and program files are used in processing?

4
 & Assurance: Introduction to IT Audit (Part One) Mwamba. Ally. Jingu: FCPA: PhD
Auditing

Table 2 summarizes the objectives of processing controls and gives some examples.

Table 2: A Summary of the Objectives of Processing Controls and Few Examples

Processing Controls Examples

Objectives
1 All data is processed Calculate control totals,comparisonof input and output
2 All Processing is Strong General controls over program amendments are

accurate critical for effective processing, Exception reports.

Password control, review authorized activity log.

3 On-line processing is

authorized
4 Correct program and data Program procedures to identify files. Validation

files are used routines. General controls over file handling

(II).OUTPUT CONTROLS

Output includes reports, cheques,documents,and other printed or displayed information.

Controls over output from the computer systemsare important application controls The main
concern here is that computer output

Output controls focus on detecting iregularities after processing completed,rather than

is

preventing irregularities. The most important output control is review of data for reasonableness.

Audit objectives of output controls.

)
The main
all

(i)it is complete,
objective is to ensure that:

expected output is

appears
produced and that it

reasonable and that it

is not corrupted

is not lost

on time, and
(iii)it serves a useful purposeand is distributed

as necessary, that is privacy is not violated.

(iv) confidentiality is maintained

that it is not misdirected

(v) Distributed to intended recipients,
is,

disruptions to operations and may result in

Exposures to such iregularities may cause serious
if the cheques produced by the company's
cash
financial losses of the company. For example,
bills may go unpaid. This
disbursement system are los, misdirected or destroyed the company's
could damage the company's integrity and credibility.

Key Questions Output - controls

- Are there controls to ensure that all expected output is produced?(completeness)

and secured to authorized or intended recipients only?

- Isoutput distributed promptly

- Is output accurate?
5
 & Assurance: Introduction to IT Audit (Part One) Mwamba. Ally. Jingu: FCPA: PhD
Auditing

Summary of Applications Controls

Application controls are those controls that relate to the scope of individual businessprocessesor
application systems, including data edits, separation of business functions, balancing of
processing totals, transaction logging, and error reporting.

Thus, the objective of application controls is to make sure that:

•Inputdata is accurate, complete,authorized,and correct.

• Data is processed appropriately and as timely as intended

•Data stored is accurateand complete.

Three types of applicationcontrols exist. These include:

• InputControls -These controls are used mostly to check the integrity of data entered into a
business application,

•Processing Controls - These controls provide an automated means to ensure processing is

complete,accurate, and authorized.

• Output Controls -These controls address what is done with the data and should compare
output results with the intended result by checking the outputagainst the input..

MASTER FILE CONTROLS

A master file is the main file that contains relatively permanent records about particular items or
entries. For example a customer file will contain details of a customer such as customer ID,name
and contact address. Examples of master files: (1) sales ledger. This is for customers' personal
accounts(theaccounts receivable); (i)purchase ledger. This is for suppliers personalaccounts
(the accountspayable) and (iii) generalledger.

The purpose of master file controls is to ensure the ongoing integrity of the standing data

contained in the master files. It is very important that strict 'security' controls are exercised over
all master files. These include:

1. Appropriateuse of passwords,to restrict access to master file data

2. The establishment of adequateproceduresover the amendment of data,

3. Comprising appropriate segregation of duties, and authority to amend being restricted to

appropriate responsible individuals

4. Regularcheckingof master file data to authorised data, by an independentresponsible official

 Auditing & Assurance: Introduction to IT Audit (Part One) Mwamba. Ally. Jingu: FCPA: PhD

5. Processing controls over the updating of master files, including the use of record counts and
control totals

INTERACTIVE QUESTIONS

QUESTION ONE

Applicationcontrols includeall of the followingexcept

A IT inputcontrol
B IT processingcontrol
C ITmaster file control

D IT output control

The objectives of IT Input Control includesall of the followingexcept

A Ensure that source documents areprepared by and qualified personnel

authorised

B Ensure that data input is performed in a timely manner by authorised and qualified staff.

C Correction and resubmission of data that were erroneouslyinput should be performed

without compromising original transaction authorisation levels

D ensure that the correct data and program files are used, that all data is processed in a
secure manner, accounted for and written to appropriate file

iii IT Processing control includesall ofthe followingexcept

A ensure that all data is processed in a securemanner,
B ensure that the correct data and program files areused
C thedata have been entered into the computer system accurately
D ensure that all data is processed and that dataconforms to predetermined standards

iv The objectives of the IT Output Control includes all of the followingexcept

A Althe datahas been entered forcomputer processing

B All output is reviewed for reasonablenessand completenessbefore distribution

Procedures for the distribution and collection of output should
ensure confidentiality
C
D Alloutput reports should be clearly titled, dated and have page numbers

The purpose of the IT master file control isto ensure the ongoing integrity of the standing
of the
data contained in the master files. The objectives of Master file control include all
following except
access to master file data
A Appropriateuse of passwords,torestrict
of data
B The establishment of adequate procedures over the amendment
data, by an independent official
C Regular checking of master file data to authorised
D Ensure that all expected output is produced,that it is completeand
appears reasonable.

vi An example of input control is

7
 IT Audit (Part One) Mwamba. Ally. Jingu: FCPA: PhD
Auditing & Assurance: Introduction to

A Making sure that output is distributed to properpersons

B Monitoring the work of programmers
C Recalculating an amount to ensure its accuracy

D Collecting accurate statistics of historical transactions while gathering data

QUESTION TWO

The following represent irregularities that could occur in a computerized environment. For each
iregularity identify control proceduresthat would have been effective in either preventing or
detecing the iregularity.

i
A deposit for Julius A. Kingu at the local bank was by mistakerecorded asa deposit in the

accountof Julius A. Jingu

Duplicate payments were prepared for all employees of the accounts section in Tanya & Co for the
month ended December, 2023. This occurred because the data processing department processed
the data paymentvouchers twice

iii
An individual in the accountssection gained access to the products master fle and, in an

attempt tochange prices for one customer, inadvertently changed prices for theproducts
identified for all customers

iv A customer order was filled and sent to a former customer, who had already declared
bankruptcy

V The selling price for all products handled by a company sales person was consistently
reduces by 25% by a sales person. The sales manager did not authorize the sales person to
reduce prices from a price list

vi A customer number was transposed during the order-taking process. Consequently, the
sales were billed to anotherperson. By the time the original customer was identified, the
original customer was out of business

vii The accountsreceivable clerk, who also operated

the company's personal comnputer, took
cash remittances and recorded the credit to the customer'saccountas a discount.

viii A disgruntled programmer often came to the office in the evenings to

copy confidential
client data such as customer lists, discounts, and so forth
on the magnetic tapes, which he
sold to competitors at handsome prices

ix A computer programmer added a module to the payroll program that started with an "IF"
statement to identify his employee
number. If it were his record, the program was
instructed tomultiply computed pay by 1.5, thus increasing the programmer's pay by 50%%

8
 Auditing & Assurance: Introduction to IT Audit (Part One) Mwamba. Ally. Jingu: FCPA:PhD

X The department made supportpayments to poor students. A poor student

social services
couldbe input into the system on recommendation of "warden or matrons". Some wardens
and matrons entered fictitious students on the system and had support payments sent to
authorized addresses. The wardens and matrons then cashed the support payments and
eventually transferred the cash to their own accounts

SOLUTION TO QUESTION TWO

Input controls were either missing or were weak and thus ineffective:

The data that have been input into the computer system was not accurate. The deposit

was supposed to be credited into the accountof Julius A. Kingu and not in Julius A Jingu

Processingcontrols were either missing or were weak and thus ineffective

The double payment transaction was not appropriate. There were no controls to ensure
that all processing is accurate (appropriate). Processing controls could have prevented or
detected and corrected the processing irregularity

iii
Master file controls were either missing or were weak and thus ineffective.
Access tothe master files should be to
personnel and not to any
restricted appropriate

person including those from the accountssection. Moreover, authority to amend a product
master file should be restricted to appropriate individuals responsible forthe master file.
iv
Input controls wereeither missing or were weak and thus ineffective
The data was not entered into the computer system timely

Input controls were either missing or wereweak and thus ineffective

The reduction of sales price was done by the sales personwho had no authority to do so
To be genuine,the reduction in sales price should have been allowedby the sale manager
who had authoritative powers.

vi Input controls were either missing or were weak and thus ineffective

A customernumber was inaccurately entered into the computersystem.There were no

controls to ensure that all input into the computer system is accurate

vii Input controls were either missing or were weak and thus ineffective
The trade discount entered in accounts receivable was not appropriate as there was no
discount at all, Therefore, there we no controls to ensure that all input into the computer
system was accurate

viii Master file controls were either missing or were weak and thus ineffective.

Access to the master filesshould be restricted to appropriate personnel and not to any
other person including computer programmers.

9
 IT Audit (Part One) Mwamba. Ally. Jingu: FCPA: PhD
Auditing & Assurance: Introduction to

ix Processing controls were either missing or were weak and thus ineffective

The computerprogrammer manipulated the computer programs making his pay to be

increased by 50%.
There were no controls to ensure that correct data and correct program were used in processing

X Input controls were either missing orwere weak and thus ineffective

Some wardens and matrons entered fictitious students on the system and had support
payments sent to authorized addresses. Therefore, there we no controls to ensure that all

input into the computer system was accurate

QUESTION THREE (20Marks): IFM,BAC 3;BAIT 3 BTX 3 Final Exam Modified

(a) Application controls are manual or automated procedures that typically operate at a business

process level and apply to the processing of transactions by individual applications. Application

controls can be preventative or detective in nature and are designed to ensure the integrity of the
accounting records. Aplication controls are divided into the following three control categories:

input controls, processing controls and, output controls.

)
Required

Mention any five audit objectives

(ü)Mention any four audit objectives

of input

ofprocessing
Controls (2.5 marks)

Controls (2Mark)
(iü) Mention any five audit objectives of output Controls (2.5 Marks)
Gv)Mention any fouraudit objectives of master file Controls (2Marks)

6)There are two approachesto auditing in an electronic data processing (EDP)environment:(i)

blackbox approach,and (ii) white bOx approach.

Required

(i) Explain what is meant by each of the two approachesabove. (7marks)

(iü) When is it suitable to use auditing around the computer? (4 marks)

APPROACHES TO COMPUTER AUDITING

There are two main approachesto IT audit: auditing around the computer and auditing through
the computer

Black b0x approach (Auditingaround the computer)

10
 Auditing & Assurance: Introduction toIT Audit (Part One) Mwamba. Ally. Jingu: FCPA: PhD

Auditing around the computer means that; processing done by the computer system needs not to
be examined because auditor expects that sufficient appropriate audit evidence can be obtained

by comparing inputs with outputs. In simple words evidence is obtained and conclusions are
drawn without considering how inputs are being processed to provide outputs. The auditor

carries out his audit work in the same way as in a manual audit system except with one
difference that the auditor examines computer printouts instead of handwrittenbooks of account.
He or she concentrates on input & outputand ignores the data processing. This approach ismore

often known as black box audit approach. Most often this approach is used either because.

processing done by the computer is too simple e.g. casting, sorting etc

auditor is already aware of the software's reliability. This is the case with most of off
the-shelfsoftwareuSed by client without any in-house alteration and thus need not to
be checked.
auditor has no mean to gain understanding of the computer system and thus resorts
with this approach.This situation can arise out of circumstancesincluding:
lack of appropriate system documentation
auditorlacks expertise or skills to understand or use the computer system
for auditing purposes.
auditor is not given accessto computer system at the level required

Audit around the computer approach is used in situations when auditor is of the opinion that

computer system is reliable and often comparison of inputsi.e. source documents to outputs i.e.
financial reports is done which in auditor's judgement is enough.

For this reason, relying too much on this approach is not recommended forimportant aspectsof
the audit especially where assessed risk is high as this may result in ineffective auditand in the
end the auditor may express an inappropriate audit opinion.

Advantages of Auditing Around the Computer

i. Simple and straight forward approachwhich can be easily understood by anyone.

ii. Extensive knowledge of the computer and data processing is not required for the auditor

iii. Cost of audit resources is generally low.

Auditing Around the Computer

Disadvantages of

Jenores the system of controls and hence fails to recognize potential weakness with the system
i.
ii. The auditor fails to utilize the full potential of the computer to assist him or her

iii. Increasing of printing expenses because of enormous print-out requirements of the auditor.

11
 (Part Onc) Mwamba. FCPA: PhD
Auditing & Assurance: Introduction to IT Audit Ally. Jingu:

approach)
Auditing through the computer (White box

through the computer auditors follow the audit through the internal computer
When auditing trail

the processing controls that are incorporated in the AIS

operations in order to verify that

propcrly. Additionally, it attempts to validate the accounting data being

programs are functioning

processed. The auditor assumes that the CPU and additional hardware are functioning properly.

The five techniques used in auditing through the computer include; use of test data, integrated

and parallel simulationto test programs, uses of audit techniques to validate

test facility
software, use of documentation and CAATs to
computer programs, use of logs to review systems
validate user accounts and access privileges
and use of embedded audit modules to

achievecontinuousauditing

Advantages of auditingaround the computer

1. Examination of data is more rapid;

2. Examination of data is more accurate;

3. The only practical method of examining large amounts of data;

4. Gives the auditor practical acquaintancewith live files;

5.Provides new opportunities to the auditor;

6.Overcomes in some cases a loss of audittrail;

7.Relatively cheap to use once set up costs have been incurred;

Disadvantagesofauditing around the computer

1. Can be expensiveto set up or acquire.

2.Some technical knowledge is required.

3. A variety of programming languages is used in business. Standard computer audit programs

may not be compatible.
4. Detailed knowledge of systems and programs is required. Some auditors would dispute the
need forthis detailed knowledge to be gained.
5. Difficulty in obtaining computer time especially for testing

QUESTION FOUR (12Marks)

(() Mention two approaches to auditing in the IT environment (1 Mark)

(i) What is meant by auditing around the computer? (2 marks)

(ii) What is meant by auditing through the computer? (2 Marks)

(iv) Mention any 5advantagesand 3 disadvantages of auditing though the computer (4 marks)

()Mention 3 advantagesand 3 disadvantages of auditing around the computer (3 marks)

12