COMPUTER BASED ACCOUNTING SYSTEMS AND THEIR CONTROLS

CONTENTS

1. Introduction to Computer Accountancy Systems.

2. Introduction to Computers and the way they process data.

3. Programs & Operating Systems.

4. Introduction to Computer Control.

Types of controls in a computerized system.

(a) General controls.

• System development controls.

• Organisational controls.

• Access controls.

• Other controls.

(b)Application controls.

• Input controls.

• Processing controls.

• Output controls.

5. Auditing in a Computerised Environment.

• Planning the audit in a computerised environment.

• Testing the internal controls in a computerised environment.

• Substantive testing in a computerised environment.

6. The auditor’s Approach

7. Auditing around the computer

8. Auditing through the computer

9. Real time and On-line Systems

1. INTRODUCTION TO COMPUTER ACCOUNTING SYSTEMS

Computers are sometimes described as:

(a) Mainframe

(b) Mini

(c) Micro

A Mainframe Computer is one that can undertake many tasks simultaneously and will be linked to many
different input and output devices.

A Micro Computer is intended to be used by one operator for one task at a time, and comes bundled
with a limited range or Visual Display Unit (VDU). However, modern microcomputers are far more
powerful than mainframe computers and if linked together in a network they can form a basis of a
sophisticated computer accounting system. Due to invention of increasingly powerful microcomputers
the term mini computers has disappeared.

Computerized accounting systems fall into 2 broad types.

1. Centralized systems: Where processing of data takes place in a specialised computer

department.

2. Distributed systems: Where processing of data takes place in the user computer
department.

These 2 types are not mutually exclusive. Therefore in centralised systems, data may bepartly
processed in the user departments using remote terminals; and in distributed systems, the user
department computers may be linked or networked with some of the data being further processed
centrally.

In smaller businesses there is often a single micro computer, which is used for all accounting routines
and is located within the general accounts office. For audit purposes this is regarded as a distributed
system as the computer is operated by accounts personnel rather than specialist computer personnel.

2. INTRODUCTION TO COMPUTERS AND THE WAY THEY PROCESS DATA

A computer system requires procedures to: -

i. Convert the data to machine-readable form.

ii. Input the data into the computer.

iii. Process the data.

iv. Store the data in machine-readable form.

v. Convert the data into a desired output form.

For these procedures, a mixture of hardware and software is needed. The hardware will consist of:

a) Input

b) Processing

c) Storage &

d) Output devices.

Input devices will include: Keyboards, optical readers, and bar code scanners

Processing devices are the computers themselves.

Storage devices include: Hard disk, diskettes, and magnetic tape

Output devices include: Visual Display Unit (VDU’s), printers.

The software consists of programmes and operating systems. These contain the instructions that
determine how data is to be processed, organised and stored in computer files and then output.

Computer Files

These are the equivalent of books and records in a manual system and are described either as:

Transaction files

Master files.

Transaction Files

Are the equivalent of journals such as the sales journal or the purchases journal or the cashbook. They
contain details of individual transactions, but unlike books, a transaction file is not a cumulative record.
A separate file is set up for each batch. Thus in real time systems, a transaction file is not necessary, but
good systems will always create a transaction file for control purposes to provide a security back-up, in
case of errors or computer malfunctions during processing of data to master file.

Master Files

These contain what is referred to as standing data. They may be the equivalent of ledgers but may also
contain semi-permanent data needed to process transactions e.g. a debtors master file will be the
equivalent of debtors ledger but will also include data that in a manual system may be kept separately
such as invoicing address, discount terms and credit limits, even non-accounting data e.g. cumulative
analysis of sales to that customer.
When such master files are up-dated by processing them against a transaction file, the entire contents
of the file are usually re-written in a separate location so that after processing, the 2 files can be
compared and differences agreed to the control total on the Transaction file. Any errors in updating the
master file will thus be detected and the process repeated. In practice, the old copy of the master file
and transactions file are retained until the master file is updated once again. This is the grandfather-
father-son approach. If the current master file is corrupted or lost due to machine or operator error,
previous versions provide back up from which the master file can be re-created. Master files holding
semi-permanent data would in the case of debtors system include current sales price list and in the case
of personnel department, a personnel file giving details of wage rates, authorised deductions and
cumulative record of amounts paid to date for the purpose of providing tax certificates.

A special class of transactions are those amending standing data held in the master file such as sales
price and wage rate. These transactions require special control consideration because an error in such
data held in a master file will cause errors in all transactions processed against the master file e.g. an
item mis-priced in sales price list will mean all sales will be charged to customers at the wrong price.

3. PROGRAMS & OPERATING SYSTEMS

Programs are the instructions telling the computer how each type of transaction is to be processed.
These instructions include routines of checking & controlling data matching data with master files and
performing mathematical operations on the data, e.g. for a sales transactions. Matching routines will
enable the computer to identify the right sales price from the sales price master file and the right
customer from debtors master file, mathematical routines include calculating the total debtors amount
and updating customer’s balance on the debtors’ master file.

Operating Systems

Relate to a series of related programs to provide instructions as to what files are required to be on-line,
what output devices are required to be ready and what additional files need to be created for further
processing e.g. with a batch of sales transactions, the sales price file and the debtors file need to be on-
line. The printer must be loaded with blank invoice forms and the totals must be retained for posting to
the sales and debtors control accounts in the general ledger master file.

An operating system will also provide details of further processing runs within the same system. So, for
example, in sales these will include updating the general ledger, processing cash receipts and

credit notes to the debtors file, printing out monthly statements and printing out an analysis of due
accounts for credit control purposes.
In a batch processing system, the operating system may consist of a set of instructions provided to the
operator but increasingly the operating system is part of the computer software such that with real time
system, the computer identifies source of an incoming signal, and automatically processes that
transaction using the appropriate programs and the right file.

Documentation

Each system should be fully documented. This documentation should include:

i. The initial specification, objectives and authorisation of the system.

ii. Overall flowchart of the flow of information through the system including the manual
procedures.

iii. An indication on the flowchart of the programs and files involved in the system.

iv. For files, the contents of each file and the way the data is stored within the file.

v. For programs, a logic flowchart as well as complex details.

vi. Copies of input and output documents.

vii. Operator instructions including error messages.

viii. Data used in testing the system and the results.

ix. Changes in the system and any of the component parts and the authorisation of the changes.

4. INTRODUCTION TO INTERNAL CONTROLS IN COMPUTERISED INFORMATION

The main features of a computerized information system which requires the implementation of
adequate alternative controls, which could pose additional challenges to the auditor include:

a. Consistency

If properly programmed computer will process transactions consistently accurately and likewise if there
is a programming error this will affect all transactions processed.

The auditor must test the system to ensure that it is processing transaction correctly.

b. Concentration of function and controls

Due to the use of computers few people are involved in the processing of financial information. This
results in weak internal controls and in particular poor segregation of duties. Certain data processing
personnel maybe in a position to alter programs or data while stored or during processing. Many control
procedures that would be performed by separate individuals in a manual system may be concentrated
under one person in CIS.
c. Programs and data are held together increasing the potential for unauthorized access and
alteration.

Computer information systems are designed to limit paper work. This results in less visible evidence.
Data may be entered directly into the computer system without supporting documents e.g. in some
online systems a sales transaction may be initiated through the computer without a sales order being
raised, the amount is then directly charged to the customer’s account without a physical invoice being
raised.

d. Lack of visible transaction trail/ loss of audit trail.

An audit trail refers to the ability to trace transactions through the system by examining source
documents, books of accounts and the financial statements. This is possible in a a manual system where
various stages of a transaction are evidenced by physical documents are maintained in magnetic files
which are overwritten over time. This results in loss of visible audit trail.

e. Lack of visible output

In some CIS systems the results of transaction processing are not printed out, only the summary data
may be printed. This data can only be accessed through the machine.

f. Ease of access of data and computer programs

Where there are no proper controls over access to computers at remote terminals there is increased
danger for unauthorized access to and alteration of data and programs. This could result in fraud or
manipulation of accounting records.

g. Programmed controls

in CIS environment controls are programmed together with data processing instructions. E.g. protection
of data against unauthorized access maybe by way of passwords or computer programs containing limit
checks.

h. A single input to the accounting system may automatically update all records associated with
the transaction e.g. when a credit sale is made on line the system will credit the sales account, reduce
the stock levels and debit the debtors account simultaneously. Thus an erroneous entry in a system
creates errors in the various affected ledgers.

i. Data and programmes are usually stored in portable magnetic disks and tapes, which are
vulnerable to theft, loss, and intentional and accidental destruction.

j. Systems generated transactions

many systems are capable of generating transactions automatically without manual intervention e.g.
calculation of interest on customers’ accounts maybe done and charged to income automatically. This
lack of authorization and documentation can result in significant misstatement or errors in financial
statements.
Internal controls in a CIS environment

Internal controls over computer processing include both manual procedures and procedures built into
the computer programs. These controls can be divided into:

a) General controls

b) Application controls

General controls

These are controls, which relate to the environment within which computer-based accounting systems
are developed, maintained and operated aimed at providing reasonable assurance that the overall
objectives of internal controls are achieved. These controls could either be manual or programmed.

The objectives of general controls are to ensure proper development and implementation of
applications and the integrity of program and data files and of computer operations. General controls
will be considered under the headings of:

1. Systems development controls

2. Organisational controls.

3. Access controls

4. Other controls

a. Systems development controls

These relate to:

1. Review, testing and approval of new systems.

2. Parallel running

3. Program changes

4. Documentation procedures.
Review, testing and approval of new system

The basic principles of these controls are that:-

a. Systems design should include representatives of user department, accounting department and
internal audit.

b. Each proposed system should have written specifications that are approved by management
and user department.

c. Systems testing should involve both user and computer department.

d. The computer manager, the user department, dbase administrator and the appropriate level of
management should give final approval to the new system before it is placed under operation and offer
reviewing the completeness of documentation and results of testing.

Program Changes

Similar requirement apply to changes as well as to new systems although the level of testing and
authorisation will vary with the magnitude of changes. It is particularly important that the
documentation be brought up to date. A common cause of control breakdown is the unsuspecting
reliance of new staff on out of date documents.

Documentation Procedures

Adequate documentation is important to both the auditor and management.

For management documentation provides a basis for:

i. Reviewing the system, prior to authorisation

ii. Implementing smooth personal changes and avoiding the problem that key employees might
take with them all the knowledge on how the system works.

iii. Reviewing existing systems and programmes.

iv. For the auditor documentation is necessary for preliminary evaluation of the system and its
control.
Parallel running

Before switching to the new system, the whole system should be tested by running it parallel with the
existing system. Parallel running refers to running the new and old system along each other for a
specified period of time say month. This is important because;

a) It provides the users with the opportunity to familiarise themselves with the new system while
still having the old system available to compare.

b) Provides for an opportunity for the programmers to sort out any problems with the new system.

b. Organisational controls

These relate to: -

a. Segregation of functions.

b. Policies and procedures relating to control functions.

Segregation of functions

The principal segregation in a centralised system is between the user and computer departments.
Those who process the data should have no responsibilities for initiating or altering the data. The
following segregation’s are important:

1. The computer department manager should report to an executive who is not regularly involved
for authorising transactions for computer processing.

2. Computer staff should not correct errors in input data.

3. Computer staff should not initiate transactions or have custody of resulting assets.

4. Within the computer department there should be segregation of duties along the

Following lines.

Job title and responsibilities

1. The computer department manager responsibility exercises overall control over

running of the department.

2. Systems analyst responsibility: Monitors existing systems, designs new systems

and prepare specifications for programmers.

3. Programmer: Responsibility: Develops, debugs and documents programs.

4. Computer operator: Operates the computer in accordance with operating

instructions.
5. Data entry operator: Keys input data into the computer.

6. Librarian: Maintains custody of systems documentation and off line programs and files.

7. Data control group: This co-ordinates activities between the computer department and the user
department and monitor and control input and output.

8. Database administrator: Designs the contents and organisation of the dbase and
access to the dbase.

Policies and Procedures relating to control functions

A particular worry is that the operation of program controls could be interfered with during the running
of the system by someone with necessary skills. For these reasons:

a. Programmers and systems analysts should not be allowed to operate the computer except for
testing purposes.

b. Operators duties should be rotated so that the same operator is not responsible for the same
procedure.

c. For similar reasons, the computers operating system should be set up and keep a record of
programs and files operated on. This record should be checked regularly by the computer department
manager and the internal audit. There should also be procedures ensuring the completeness and
validity of all input and output. In a centralised system, the data control group may be established for
this function.

c. Access control

Computer systems are often dependent on accuracy and validity of data held on file Access controls to
the computer hardware, software and data files are therefore vital. Access controls are both physical
and programmed. Physical controls apply to both hardware and data files stored in form of magnetic
disks or diskettes. Example of access controls.

d. Only authorised personnel should be permitted access to the computer which should be in a
secure room. This may not be possible with single microcomputers or even terminals.

e. Control over computers located in the user department should be improved by making sure that
vital data or programs are not left running when the computer is left unattended.

f. Passwords should be issued to all staff, whether for access to mainframe or single
microcomputers. This is supported by requirement that each user can only log into the computer by
keying-in their passwords, the computer then knows the identity of the user and it is programmed so as
to only accept instructions only from authorised users. System of passwords makes it possible for each
user to have limited access to files and that access may further be designated as Read Only or Read and
Write. In this way employees are given access to information contained in files only. Computers should
also be programmed to record names of all those accessing the computer for purpose of adding, altering
or deleting data. Passwords should be changed regularly and access to password data held in the
computer should be subject to stringent controls.

g. The computer has no way of knowing whether the user is the authorised user of a particular
password. Hence users should be issued with machine readable evidence e.g. magnetic stripped cards.
For access then the user will have to use the card and the password.

h. Access to computers is usually via telephone lines. Computers should be programmed with
telephone numbers of such users. On receiving a call, the computer should be required to call back on
the authorised number and not receive calls directly.

i. Programs and data files which need not be on-line should be stored in a securelocation with a
computer department librarian. Systems programs and documentation should be locked away with
limited access.

d. Other controls

They include controls over:

i. Unauthorised use of computers.

ii. Back-up facilities in the event of breakdown. There should be adequate back up procedures e.g.
maintaining duplicate programs and information at different locations, protection against natural
disasters such as situating computer rooms in rooms protected against floods. There should be
maximum possible physical security where computers are installed. Important files should always be
stored in duplicate. Standby procedures should be put in place in the event of computer breakdown.

iii. File retention procedures e.g. retaining copies of essential data on separate.
(ii) APPLICATION CONTROLS

The objectives of application controls which may be manual or programmed are to ensure the
completeness and accuracy of the accounting records and the validity of the entries made therein
resulting from both manual and programmed processing. These relate to the transactions and standing
data pertaining to each computer based accounting system and are therefore specific to each such
application. With the increasing sophistication of computer operating systems it is becoming more
common for controls to be programmed as part of each application. Application controls are generally
divided into:

• Input controls.

• Processing controls.

• Output controls.

• Controls over master files and standing data.

Input controls

Most errors in computer accounting systems can be traced to faulty input. Controls over the
completeness and validity of all input are therefore vital. Some controls affect both completeness and
validity and therefore will be considered separately. These include controls over data conversion,
controls over rejections and the correction and the reprocessing of the rejections, batch controls and
computer edit controls.

Completeness

These controls ensure that all transactions are recorded. That all sales for example are recorded in the
cash register or all purchase invoices are posted to the accounting records. They are particularly
important over the recording of revenue and receipt of assets.

Validity

Controls over validity ensure that only actual transactions that have been properly authorised are
recorded. These controls are most important over the recording of liabilities such as wages, creditors
etc. As in a manual system, control is established by the written authorisation on input documents such
as the departmental managers signature on employees time cards. It is important that there is
adequate separation of duties such that those who initiate a transaction or who have access to cash,
cheques or goods as a result of the transaction being entered should not have the responsibility for
entering the transaction. As with completeness, the computer can be programmed to assist in this
control in which case some of the requirements above can be relaxed for example the computer can
initiate purchases when stock levels reach a pre-determined re-order level. It can then validate the
payment by matching the invoice with the order and goods-inward notes.
Access controls as discussed earlier play an important role in validity in that the computer is
programmed to accept input only from authorised users. The computer can also be programmed to
verify authority limits as well.

Data Conversion

There must be controls to ensure that all data on source documents is properly entered into the
computer. In the early days, when entry was by punched card, each card was verified as punched by a
second machine operator. But now that most data is entered using a keyboard or a terminal other
controls are more common.

The most common input controls are edit controls. Examples of edit controls include;

Type of edit control

Description of control Objective

Missing field check Checks that all essential data fields are present and are of the right length
Ensures accuracy of the processed data. Transactions cannot be properly processed if necessary
data is missing

Valid character check Checks that data fields appear to be of the right type eg all alphabetic, all
numerical or mixed. Ensures correctness of input data

Limit/reasonableness checks Checks that data falls within predetermined reasonability limits e.g.
hours worked do not exceed a certain limit, maybe 8 hours a day. Ensures accuracy and validity of
input data

Master file checks Checks that all codes match those on master files e.g. employee’s number
matches an employee number on the personnel file. Ensures that data is processed against the
correct master file.

Check digit Applies an arithmetic operation to the code number and compares the result to the
check digit To ensure accuracy of data by checking keystroke errors.

Document count Agrees the number of input records in a batch with the total on the batch
control form Ensures that all documents are input
Processing controls

Processing controls ensure that transactions are:

• Processed by the right programs.

• Processed to the right master files.

• Not lost, duplicated or otherwise improperly altered during processing.

• Processing errors are identified and corrected.

Processing controls include:

• Program file identification procedures, which enquire whether, the right master files are in use.

• Physical file identification procedures in the form of labels physically attached to files or
diskettes to ensure that the right files are in use.

• Control totals which are progressively expanded as the data is processed, for example the hash
total of quantities shipped can be expanded to a gross sales total as items are priced and to a net sales
total as customer discounts are determined. These totals should be carried forward with the transaction
data as run-to-run totals.

• Limit and reasonableness tests applied to data arising as a result of processing.

• Sequence tests over pre-numbered documents.

c) Output controls

Are necessary to ensure that:-

• Output is received from input.

• Results of processing are accurate

• Output is distributed to appropriate personnel.

These controls include:

• Logging of all output.

• Matching or agreeing all output to input, such as for one matching, or control totals.

• Noting distribution of all the output.

• Output checklists aimed at ensuring that all expected reports are processed and forwarded to
the relevant department or personnel.
Controls over master files and standing data

These are aimed at ensuring completeness, accuracy and authorisation of amendments to master files
and standing data files. These controls are similar to controls over input. E.g. controls to prevent the
deletion of any account, which contains a current running balance. Once standing data has been written
onto a master file, it is important that there are adequate controls to ensure that the data remains
unaltered until an authorised change is made.

Examples of controls

• Periodic printouts of standing data for checking with manually held information.

• Establishment of independent control totals for periodic verification with computer generated
totals.

AUDITING IN A COMPUTERISED ENVIRONMENT

The use of computers in the processing of financial information by the client affects the general
approach of the auditor to his work. The use of computers does not affect the auditor’s primary
responsibility of reporting on the accounts but the way in which the auditor carries out his substantive
and compliance procedures to arrive, at his opinion will be considerably different.

PLANNING THE AUDIT IN A COMPUTERISED ENVIRONMENT

When planning for an audit in a computerised system the following factors must be considered:

• Auditors need to be involved in computerised systems at a planning, development and

implementation stages. Knowledge of the systems gained at these stages will enable the auditor to plan
the audit with an understanding of the system.

• Timing is more important in computerised environments than in manual environment because

of the need of the auditor to be present when data and the files are available, more frequent visits to
the client are usually required.

• Recording methods may be different. Recent developments including; the use of portable
laptops to aid in preparing audit working papers or coupling a client’s mainframe computer to a micro
computer in the auditor’s office enabling auditors to download data files onto their own personal
computers.

• The allocation of suitably skilled staff to the audit. Thus audit firms now use the computer audit
department on some parts of the audit and allowing general audit staff to have some computer
experience.

• The extent to which computer assisted audit techniques can be used. These techniques often
require considerable planning in advance.
TESTING THE INTERNAL CONTROLS IN A COMPUTERISED ENVIRONMENT

The auditor tests internal controls when he wishes to place reliance on the controls in determining
whether the accounting records are reliable.

A computerised system may differ from a manual system by having both manual and

programmed controls. The manual controls are tested in exactly the same way as in a manual system.

The programmed controls are tested in the following ways:

• By examination of exception reports and rejection reports. But there is no assurance that the
items on the exception reports were the only exceptions or that they actually met the parameters set by
management, auditors must seek for ways to test the performance of the programs by auditing through
the computer.

• Use of CAAT’S - Computer Assisted Audit Technique’s

Test data is mainly applied in testing computerised information systems.

SUBSTANTIVE TESTING IN A COMPUTERISED ENVIRONMENT

Substantive testing of computer records is possible and necessary. The extent depends on the degree of
reliance the auditor has placed on the internal controls. Substantive testing includes 2 basic approaches
both of which will be used.

(a) Manual Testing Techniques

• Review of exception reports: The auditor then attempts to confirm these with other data for
example the comparison of an outstanding despatch note listing with the actual despatch notes.

• Totalling: Relevant totals for example of debtors and creditors listings can be manually verified.

• Re-performance: The auditor may re-perform a sample of computer generated calculations for
example stock extensions, depreciation or interest.

• Reconciliation’s: These will include reconciliation’s of computer listings with creditors

statements, bank statements, actual stock and personnel records.

• Comparison with other evidence such as results of a debtors circularisation, attendance at stock
take and physical inspection of fixed assets.
(b) Computer Audit Programs sometimes called generalised computer audit software. Computer
audit programs are computer programs used by an auditor to:-

• Read magnetic files and to extract specified information from the files.

• To carry out audit work on the contents of the file.

These programs are sometimes known as Inquiry or Integration programs.

Uses of computer audit programs:

1. In the selection of representative or randomly chosen transactions or items for audit tests.

2. The scrutiny of files and selection of exceptional items for examination e.g. on wages payments
over Shs.1000 or all stock items worth more than Shs.100,000 in total.

3. Comparison of 2 files and the printing out of the differences e.g. payrolls at 2 selected dates.

4. Exception reports can be prepared using these programs e.g. overdue debtors.

5. Stratification of data such as stock items or debtors with a view to examination only of
materialitems.

6. Carrying out detailed tests and calculations.

7. Verifying data such as stock or fixed assets at the interim stage and then comparing the
examinedfile with the year end file so that only changed items need to be examined at the final audit.
6. THE AUDITOR'S APPROACH

If we look at the basic differences between computerised and conventional systems we will be able to
appreciate the impact they have on the auditor's approach. If we revisit these differences, we can
classify them as follows:

(a) The complexity of computerised systems: Usually an auditor can fully understand a conventional
system in a matter of hours at the most, whereas a computerised system cannot easily be
comprehended without expert knowledge and a great deal of time.

(b) A separation between the computer and the user department: The natural checks on
fraud and error normally provided by the interaction of user personnel and accounting personnel no
longer applies in a computer environment. This leads to a reluctance on the part of the auditor to rely
on internal controls in a computerised system.

(c) Lack of visible evidence: Data in computer systems is stored primarily on magnetic discs.
This information is not easy to examine. This creates problems for the auditor, it must however be
appreciated that most computer installations in Kenya produce acres of print out and the auditor may
be faced with too much record rather than too little. After all the management is also interested in
running a business and needs these records.

(d) Most data on computer files is retained for short periods. Manual records can be retained
for years. These records may be kept in a manner which makes access by the auditor difficult and time
consuming.

(e) Computers systems can have programmed or automatic controls. Therefore their operation

is often difficult to check by an auditor.

(f) Since programs operate automatically without personnel being aware of what the
program is doing, any program with an error is likely to process erroneously for ever.

(g) Use of outside agencies: Sometimes the client uses a computer bureau to maintain their
accounting records. The problems here for the auditor are in being able to examine controls and
systems when access is not a legal right.
 Changes in audit approach:

Systems design: In conventional systems the auditor finds out about the client's system. In a
computerised system, it is advisable for the auditor to be there right from the design stage, when the
systems are set out.

Timing of audit visits: More frequent visits may be required because there may be changes in
systems and programs, print outs are often shredded and magnetic files overwritten. Frequent changes
occur in filing order and the audit trail has to be followed while it still exists.

Systems review: This follows the normal way of using a questionnaire but is more difficult
because CIS systems are more complex, technical language is used, too much documentation is
available, many controls are program controls meaning that their evaluation may require detailed study
of programs which are written in high level languages or in machine code, and frequent changes are
made to systems and programs.

Audit tests: These will have to differ from those used in manual systems to reflect the new
records being examined.

The Control File:

When auditing CIS systems, it will be found that much reliance is placed within the system upon
standard forms and documentation in general, as well as upon strict adherence to procedures laid
down. This is no surprise, of course, since the ultimate constraining factor in the system is the
computer's own capability, and all users are competitors for its time. It is therefore important that an
audit control file be built up as part of the working papers, and the auditor should ensure that he is on
the distribution list for notifications of all new procedures, documents and systems changes in general.
The following should be included in the audit control file.

(a) Copies of all the forms which source documents might take, and details of the checks
that have been carried out to ensure their accuracy.

(b) Details of physical control over source documents, as well as of the nature of any
control totals of numbers, quantities or values, including the names of the persons keeping these
controls.

(c) Full description of how the source documents are to be converted into input media, and
the checking and control procedures.

(d) A detailed account of the clerical, procedural and systems development controls
contained in the system (e.g. separation of programmers from operators; separation of control of assets
from records relating thereto).
 (e) The arrangements for retaining source documents and input media for suitable periods.
This is of great importance, as they may be required for reconstructing stored files in the event of error
or mishap.

(f) A detailed flow diagram of what takes place during each routine processing run.

(g) Details of all tapes and discs in use, including their layout, labelling, storage and
retention arrangements.

(h) Copies of all the forms which output documents might take, and details of their
subsequent sorting and checking.

— The auditor's own comments on the effectiveness of the controls.

7. AUDITING AROUND THE COMPUTER

When it is possible to relate on a one to one basis, the original input to the final output or to put it
another way, where the audit trail is always preserved than the presence of the computer has minimal
effect on the auditor's work, and in that case it is possible to ignore what goes on in the computer and
concentrate audit tests on the completeness, accuracy, validity on the input and the output, without
paying any due concern to how that output has been processed. Where there is super abundance of
documentation and the output is as detailed and complete as in any manual system and where the trail
from beginning to end is complete so that all documents can be identified and vouched and totally cross
referenced, then the execution of normal audit tests on records which are computer produced but
which are nevertheless as complete as above then this type of auditing is called auditing around the
machine. In this case, the machine is viewed as simply an instrument through which conventional
records are produced. This approach is much criticised because:

i. It indicates a lack of knowledge on the part of the auditor;

ii. It is extremely risky to audit and give an opinion on records that have been produced by a
system that the auditor does not understand fully, and;

iii. A computer has immense advantages for the auditor and it is inefficient to carry out an audit in
this manner.
However, problems arise when it is discovered that management can use the computer more efficiently
in running the business. This is usually done by the production of exception reports rather than the full
records. For example, the management is interested in a list of delinquent debtors, therefore producing
the whole list of debtors means the list has to be analyzed again to identify delinquent debtors and act
upon them. This is inefficient and time consuming as the printer is the slowest piece of equipment in
any computerised system. From the auditor's view, exception reports which provide him with the very
material he requires for his verification work raise a serious problem because he cannot simple assume
that the programs which produce the exception reports are:

i. Doing so accurately;

ii. Printing all the exception which exists;

iii. Are authorised programs as opposed to dummy programs specially created for a fraudulent
purpose or out of date programs accidentally taken from the library and;

iv. That they contain programs control parameters which do in fact meet the company's genuine
internal control requirements.

So although it may be reasonable for management to have faith in their systems and programs, such
faith on the part of the auditor would be completely misplaced and may reflect very adversely on his
duty of care. This is the first situation on the loss of audit trail.The other situation where loss of audit
trail is noted where the computer generates, totals, analyses and balances without printing out details.
It therefore becomes necessary for the auditor to find a way to audit through the computer rather than
around it. But before we go on to that, the loss of audit train can be overcome as follows:

(a) We can have special print outs for auditors, remember the need to be consulted at the
design stage.

(b) Inclusive audit facility. This means putting in the programs special audit instructions
that enable the computer to carry out some audit tests and produce print outs specially for the auditor.

(c) Clerical recreation: Given unlimited time and man power, maintain the possibility to
recreate manually the audit trail. This would obviously be a very tedious exercise.

(d) Total testing and comparison: It is possible to compare results with other data, budgets,
previous periods and industry averages.

(e) Alternative tests: We can perform stock takes, debtors circularisation and examination
of the condition of fixed assets.

(f) We can use test packs to verify program performance.

8. AUDITING THROUGH THE COMPUTER

There are basically two techniques available to the auditor for auditing through the computer. These
are a use of test data and the use of computer audit programs. These methods are ordinarily referred to
as computer assisted audit techniques (CAATs).

Test data

These are designed to test the performance of the clients' programs. What it involves is for the auditor
either using dummy data i.e. data he has created himself or live data i.e. the client's data that was due
for processing to manually work out the expected output using the logic and steps of the program.
This data is then run on the computer using the program and the results are compared. A satisfactory
outcome gives the auditor a degree of assurance that if that programme is used continuously
throughout the year, then it will perform as required. You can see that this technique of test data falls
under compliance testing work/tests of controls.

(a) Live testing has the following disadvantages:

i. If the data is included with normal data, separate test data totals cannot be obtained. This can
sometimes be resolved by the use of dummy branches or separate codes to report the program's effects
on the test data.

ii. Side effects can occur. It has been known for an auditor's dummy product to be included in a
catalogue.

iii. Client's files and totals are corrupted although this is unlikely to be material.

iv. If the auditor is testing procedures such as debt follow up, then the testing has to be over a
fairly long period of time. This can be difficult to organise.

(b) Dummy testing has the following disadvantages:

i. Difficulties will be encountered in simulating a whole system or even a part of it.

ii. A more detailed knowledge of the system is required than with the use of live files.

iii. There is often uncertainty as to whether operational programs are really being used for the test.

iv. The time span problem is still difficult but more capable of resolution than with live testing.

Computer audit programs (Audit software)

These consist of computer programs used by an auditor to read magnetic files and to extract specified
information from the files. They are also used to carry out audit work in the contents of the file. These
programs are sometimes called enquiry or interrogation programs. They can be written by an audit firm
themselves or they can be found from software houses. They have the advantage that unskilled staff
can easily be taught to use them.
Uses of computer audit programs:

1. Selection of representations or randomly chosen transactions or items for audit tests, e.g. item
number 36 and every 140th item thereafter.

2. Scrutiny of files and selection of exceptional items for examination e.g. all wages payments over
£120, or all stock lines worth more than £1,000 in total.

3. Comparison of two files and printing out differences e.g. payrolls at two selected dates.

4. Preparation of exception reports e.g. overdue debts. Stratification of data e.g. stock lines or
debtors; with a view to examination only of material items.

5. Carrying out detail tests and calculations including re-computation of balances.

6. Verifying data such as stock or fixed assets at the interim stage and the comparing of the
examined file with the year-end file so that only changed items need be examined at the final audit
(with a small sample of the other unchanged items). Comparison of files at succeeding year ends e.g. to
identify changes in the composition of stock.

Advantages:

1. Examination of data is more rapid;

2. Examination of data is more accurate;

3. The only practical method of examining large amounts of data;

4. Gives the auditor practical acquaintance with live files;

5. Overcomes in some cases a loss of audit trail;

6. Relatively cheap to use once set up costs have been incurred;

Disadvantages:

1. Can be expensive to set up or acquire.

2. Some technical knowledge is required.

3. A variety of programming languages is used in business. Standard computer audit programs may
not be compatible.

4. Detailed knowledge of systems and programs is required. Some auditors would dispute the
need for this detailed knowledge to be gained.

5. Difficulty in obtaining computer time especially for testing.

Use of audit software raises the visibility of the auditor in the eyes of the company. It makes the audit
more credible. Deficiencies in the system are often discovered and can be reported to management.
This also makes the audit more credible. Packages are not however usually available for small machines.

Traditional batch processing has the advantages that the data can be subjected to checks for validity,
accuracy and completeness before it is processed. But for organizations that need information on strict
time scale, this type of processing is unacceptable. This has led to the development of on-line and real-
time systems and the number is growing particularly in airline offices, banks, building societies and other
financial institutions. The auditor's duties do not change but his techniques have to change. The key
features of these systems are that they are based on the use of remote terminals which is just a VDU
and keyboard typewriter. These terminals will be scattered within the user department and they have
access to the central computer store. The problem for the auditor arises from the fact that master files
held in the central computer store may be read and up-dated by remote terminal without an adequate
audit trail or in some cases, any record remaining. Necessary precautions have to be made therefore to
ensure that these terminals are used in a controlled way by authorised personnel only. And the security
techniques include:

i. hardware constraints e.g. necessitating the use of a key of magnetic-strip badge or card
to engage the terminal, or placing the terminal in a location to which access is carefuly restricted, and
which is constantly monitored by closed-circuit television surveillance systems;

ii. the allocation of identification numbers to authorised terminal operators, with or

without the use of passwords; these are checked by the mainframe computer against stored records of
authorised numbers and passwords;

iii. Using operator characteristics such as voice prints, hand geometry (finger length ratios)
and thumb prints, as a means of identification by the mainframe computer;

iv. Restricting the access to particular programs or master-files in the mainframe computer,
to designated terminals; this arrangement may be combined with those indicated above;

v. In top-security systems, the authority to allocate authorities such as those indicated

above (i.e determination of passwords, nominating selected terminals), will itself be restricted to senior
personnel, other than intended users;

vi. A special file may be maintained in the central processor which records every occasion
on which access is made by particular terminals and operators to central programs and files; this log will
be printed out at regular intervals e.g the end of each day, or on request by personnel with appropriate
authority.
 What differentiates an on-line system from a real-time system is that the on-line system has a
buffer store where input data is held by the central processor before accessing the master files. This
enables the input from the remote terminals to be checked by a special scanning program before
processing commences. With real time systems however, action at the terminal causes an immediate
response in the central processing where the terminal is online. Security against unauthorised access
and input is even more important in real-time systems because the effect of the input is that it
instantaneously updates the file held in the central processor and any edit checks on the input are likely
to be under the control of the terminal operators themselves. In view of these control problems, most
real time systems incorporate additional controls over the scrutiny of the master file for example,
logging the contents of the file before look and after look.