UNIT-4

AUDIT IN COMPUTERIZED ENVIROMENT

Computer Auditing: Meaning and Specific Problems of EDP
Audit – In Detail
I. Meaning of Computer Auditing (EDP Audit)

Computer Auditing, also known as EDP (Electronic Data Processing) Auditing, refers to the
process of evaluating and verifying the accuracy, reliability, security, and effectiveness of
computerized information systems, particularly in the context of accounting and management
controls.

With the widespread use of computer systems in businesses, traditional auditing methods are
no longer sufficient. Computer auditing ensures that electronic systems are operating as
intended, data is secure and accurate, and internal controls are effective in a digital
environment.

Objectives of Computer Auditing

• Evaluate the integrity and accuracy of electronically processed financial and

operational data.

• Assess the effectiveness of internal controls in an automated environment.

• Ensure compliance with legal and regulatory standards related to IT.

• Verify that systems safeguard against unauthorized access and data breaches.

• Analyse the effectiveness of data backups and disaster recovery systems.

Scope of Computer Auditing

• Financial accounting systems (e.g., ERP, accounting software like Tally, SAP).

• Operational systems like HR, payroll, inventory, and sales systems.

• Network security, data encryption, and cyber resilience.

• Audit trail and system logs.

• Backup and disaster recovery processes.

 II. Specific Problems of EDP (Electronic Data
Processing) Audit
Auditing in a computerized environment poses several unique challenges compared to
manual systems. Below are the key problems and issues encountered in EDP audits:

1. Lack of Audit Trail (Invisible Processing)

• Problem: In traditional systems, documents such as vouchers, ledgers, and journals

form a visible audit trail. In computerized systems, transactions are processed
electronically with limited physical evidence.

• Implication: It becomes difficult for auditors to verify individual transactions unless

adequate logs or records are maintained.

• Solution: Implement system-generated audit trails or logs to track all activities and
changes.

2. Data Vulnerability and Security Risks

• Problem: Computer systems are prone to hacking, unauthorized access, data

manipulation, malware, and other cybersecurity threats.

• Implication: Unauthorized users can alter data without leaving visible traces, which
compromises the integrity of financial records.

• Solution: Use of firewalls, encryption, role-based access control, and regular security
audits.

3. Dependence on System Documentation

• Problem: In computerized environments, auditors heavily rely on system

documentation, such as flowcharts, program logs, and user manuals.

• Implication: If documentation is outdated or incomplete, it impairs the auditor’s

ability to understand and test the system effectively.

• Solution: Require up-to-date and comprehensive documentation for all systems and
applications.

4. Technical Complexity

• Problem: Auditors may not possess the technical knowledge to understand complex
IT systems, databases, networks, and programming logic.

• Implication: Inadequate understanding can lead to insufficient or ineffective auditing

procedures.
 • Solution: Engage IT auditors or specialists and ensure continuous professional
development for auditors in IT literacy.

5. Risk of Program Errors or Fraudulent Programming

• Problem: Errors or intentional manipulation in the software/program code (logic

bombs, backdoors) may go undetected.

• Implication: Can lead to inaccurate data processing or financial fraud.

• Solution: Periodic source code review, program change management, and testing of
applications.

6. Lack of Segregation of Duties

• Problem: In small or poorly controlled systems, one person may have access to
multiple critical operations (e.g., data entry, program changes, and report
generation).

• Implication: Increases the risk of fraud or errors going undetected.

• Solution: Enforce role-based access control and segregation of duties through system
configuration.

7. Real-time Processing Challenges

• Problem: In real-time systems, data is processed immediately upon entry, often

without opportunity for validation or review before processing.

• Implication: Increases risk of processing errors or incomplete transactions.

• Solution: Integrate built-in validation checks, automatic alerts, and exception reports.

8. Frequent System Updates and Changes

• Problem: Continuous updates to software, databases, or systems may introduce new

bugs, affect existing processes, or override controls.

• Implication: Auditors may find it hard to audit a "moving target."

• Solution: Maintain change logs and implement a change management policy.

9. Dependence on Third-party Service Providers (Cloud, SaaS)

• Problem: Data and systems may be hosted offsite or managed by external providers.

• Implication: Limited visibility into the controls and security of outsourced services.

• Solution: Ensure service level agreements (SLAs) include audit rights and third-party
assurance reports like SOC 2.
10. Difficulty in Testing and Sampling

• Problem: Huge volumes of transactions processed by computers make manual

sampling impractical.

• Implication: Increases the risk of missing anomalies.

• Solution: Use Computer-Assisted Audit Techniques (CAATs) to analyse large datasets

efficiently.

III. Computer-Assisted Audit

Techniques (CAATs)
Auditors use various tools and techniques to overcome EDP audit
challenges:
CAAT Technique Description

Specialized software like ACL, IDEA used to test data and analyse
Audit Software
records.

Auditor inputs fake transactions to test how the system handles

Test Data Method
them.

Integrated Test Facility Dummy records are created within the system to test live
(ITF) processing.

Auditor uses a separate system to reprocess transactions for

Parallel Simulation
verification.

Generalized Audit Tools that allow access to data files for performing analysis,
Software (GAS) validations, and checking controls.

Need for Review of Internal Control

(Especially Procedure Control and Facility
Controls) – In Detail
Internal control is a system of policies, procedures, and processes implemented by an
organization to ensure the integrity of financial and operational information, safeguard assets,
ensure compliance with laws, and achieve operational efficiency. Reviewing internal controls
is a critical function of auditing, especially in environments that are increasingly reliant on
electronic systems.

Two key components of internal control that require special attention are:

1. Procedure Controls

2. Facility Controls

Both are vital for protecting organizational assets, ensuring accurate data processing, and
mitigating risks (including fraud, data breaches, and operational failures).

I. Why Review Internal Controls?

1. Risk Mitigation

• Detect and prevent errors, fraud, unauthorized access, or system failures.

• Ensure that risks related to financial reporting, operations, and compliance are
minimized.

2. System Reliability

• Evaluate whether computer systems and business processes are functioning as

intended.

• Identify control weaknesses that may affect data accuracy or system performance.

3. Regulatory Compliance

• Ensure compliance with standards like SOX (Sarbanes-Oxley Act), GDPR, ISO, or
industry-specific regulations.

• Demonstrate internal control effectiveness to external auditors and regulators.

4. Safeguarding Assets

• Protect physical and digital assets (e.g., cash, inventory, servers, data files) from loss
or damage.

5. Operational Efficiency

• Streamline processes and reduce inefficiencies by identifying redundant or outdated

control procedures.
II. Procedure Controls: Detailed Explanation & Need for
Review
Procedure controls (also called process or operational controls) refer to the policies and
procedures that guide how tasks are carried out in a system. These controls ensure that
operations are performed in a consistent, authorized, and secure manner.

Types of Procedure Controls

1. Input Controls – Ensure data entered into the system is accurate and authorized.

o Example: Validation checks, input masks, authorization of data entry.

2. Processing Controls – Ensure that data is processed correctly by the system.

o Example: Batch totals, hash totals, run-to-run controls, error correction

mechanisms.

3. Output Controls – Ensure the integrity and confidentiality of information output.

o Example: Review of reports, restricted access to output data, exception

reports.

4. Authorization Controls – Ensure that only authorized individuals perform certain

functions.

o Example: Role-based access, digital signatures, approval workflows.

5. Change Controls – Monitor changes to systems, processes, or data.

o Example: Software updates, patch management, change request

documentation.
 Need for Reviewing Procedure Controls
Reason Explanation

Error Detection Identifies points where errors may be introduced and ensures there
are checks to catch them.

Fraud Prevention Ensures segregation of duties and approval procedures are in place
to prevent misuse.

Compliance Confirms that operations conform to organizational and legal

Assurance requirements.

System Upgrades As systems change, procedural controls must be updated to remain

effective.

Audit Trail Ensures adequate logging of all significant activities for traceability.
Validation

III. Facility Controls: Detailed Explanation &

Need for Review
Facility controls refer to the physical and environmental controls put in place to protect
hardware, software, and data from physical damage, theft, or unauthorized access. This
includes controls over computer rooms, data centres, backup storage, and supporting
infrastructure.

Types of Facility Controls

1. Physical Access Controls

o Restrict entry to data canters or computer rooms (e.g., keycards, biometric

scanners).

o Use of surveillance systems (CCTV) and security personnel.

2. Environmental Controls

o Fire suppression systems, smoke detectors.

o Climate control (temperature and humidity regulation) to protect hardware.

o Uninterruptible power supplies (UPS) and backup generators.

3. Disaster Recovery and Backup

 o Off-site storage of critical backups.

o Clearly defined disaster recovery plans and business continuity procedures.

4. Hardware Maintenance

o Scheduled maintenance of servers, storage devices, and network

components.

5. Equipment Protection

o Locks on server racks, shielding against electromagnetic interference.

Need for Reviewing Facility Controls

Reason Explanation

Prevent Physical Critical IT infrastructure can be physically stolen or damaged if

Theft/Damage not secured.

Reduce Downtime Prevents operational disruptions caused by power failures,

environmental issues, or unauthorized access.

Ensure Data Security Physical protection of hardware also protects sensitive

organizational data.

Compliance with Reviews are necessary to ensure adherence to IT security

Standards frameworks (e.g., ISO 27001).

Disaster Preparedness Verifies readiness for unexpected events like fire, flood, or
cyberattack.

IV. Best Practices for Reviewing Procedure and Facility Controls

For Procedure Controls:

• Conduct walkthroughs of critical processes.

• Use flowcharts to visualize control points and weaknesses.

• Perform control testing using sample transactions.

• Review system logs and exception reports.

• Ensure proper segregation of duties and user access levels.

For Facility Controls:

• Physically inspect data canters and server rooms.

 • Review access logs and visitor records.

• Check for the presence and functionality of fire and climate control systems.

• Evaluate backup storage policies and disaster recovery plans.

• Test the UPS and generator systems periodically.

Techniques of Audit of EDP Output (Electronic Data Processing Output) – In Detail

Auditing the EDP output is a crucial step in the computer auditing process because it
provides evidence that computer systems have processed data accurately, completely, and
as intended. The output is the final result of all input and processing activities, and it
includes reports, printouts, dashboards, statements, invoices, and electronic files used for
decision-making or compliance.

Here’s a detailed explanation of the techniques used to audit EDP output effectively:

I. Importance of Auditing EDP Output

• Verification of processing accuracy

• Detection of unauthorized alterations

• Confirmation of data integrity

• Ensuring reliability of reports used for financial or managerial decisions

• Validation of compliance with internal controls and policies

II. Techniques of EDP Output Audit

1. Comparison with Source Documents

• Description: The auditor compares computer-generated output (e.g., invoices,

payroll reports, ledger summaries) with original source documents such as vouchers,
timecards, or transaction logs.

• Purpose: To verify that data has been processed accurately and nothing has been
omitted or altered.

• Example: Matching a payroll register output with original employee time records.
2. Reprocessing Technique (Parallel Simulation)

• Description: The auditor reprocesses selected transactions using a controlled system

or software and compares the results with the organization's actual EDP output.

• Purpose: To independently verify the accuracy and consistency of the system's

processing logic.

• Example: Feeding historical sales orders into audit software to recalculate invoice
totals and comparing them with actual invoices generated.

3. Review of Exception Reports

• Description: Exception reports highlight anomalies or data that fall outside expected
ranges (e.g., unusually high payments, negative inventory).

• Purpose: To identify irregularities or errors in output that could indicate fraud or

processing problems.

• Example: An exception report showing overtime hours above policy limits.

4. Output Reasonableness Testing

• Description: The auditor evaluates whether output figures are logical, within
expected limits, and consistent with historical data or trends.

• Purpose: To detect computational errors, data corruption, or invalid results.

• Example: Verifying that monthly sales figures do not show unrealistic spikes without
valid reasons.

5. Use of Test Data

• Description: The auditor inputs pre-determined test transactions into the system
and then examines the output.

• Purpose: To assess how the system processes specific types of transactions and
whether output is generated correctly.

• Example: Entering a fictitious invoice with a negative amount to see how the system
handles abnormal input.

6. Integrated Test Facility (ITF)

• Description: A set of dummy data and users is introduced into the live system, and
the auditor tracks how these transactions are processed and appear in the output.
 • Purpose: To evaluate system processing and output generation without disrupting
real operations.

• Example: Setting up a test employee and processing a payroll run to check the
output salary statement.

7. Output Completeness Check

• Description: Auditors verify whether all expected outputs (e.g., reports, files,
documents) are actually produced and distributed.

• Purpose: To ensure that there are no omissions in reports or critical outputs.

• Example: Checking that all customer statements for the month were generated and
mailed.

8. Audit Trail Review

• Description: Examination of logs and system trails that document each transaction’s
processing steps.

• Purpose: To trace how a transaction was entered, processed, and how the output
was generated.

• Example: Reviewing log entries showing who generated a report, when, and with
what parameters.

9. Output Control Logs Review

• Description: These logs track the generation, review, approval, and distribution of
outputs.

• Purpose: To ensure only authorized personnel access and distribute sensitive output
data.

• Example: Reviewing who accessed and printed financial statements and whether
they were approved.

10. Analytical Procedures

• Description: The auditor uses analytical methods (ratios, trend analysis, variance
analysis) to identify abnormal patterns in the output.

• Purpose: To detect unexpected results that may point to underlying problems in the
input or processing stages.

• Example: Analysing output reports to detect sales revenue inconsistencies across

regions.

III. Best Practices for Auditing EDP Output

 • Ensure segregation of duties: Users generating output should not be the ones
validating or approving it.

• Use computer-assisted audit tools (CAATs) for large volume output testing.

• Ensure access controls to sensitive outputs (like payroll or financial statements).

• Validate that output retention policies are followed (e.g., archiving or secure
destruction).

• Check whether management reviews outputs for accuracy and decision-making.

Area Typical Output

Accounting Ledger balances, financial reports

Sales Invoices, sales reports, credit memos

Inventory Stock valuation, reorder reports

HR/Payroll Salary slips, payroll summaries

Purchasing Purchase orders, supplier statements

MIS Dashboards, KPIs, summary reports

Use of Computers for Internal and Management Audit

Purposes – In Detail

The increasing digitization of business processes has significantly transformed how internal
audits and management audits are conducted. Computers now play a central role in
automating, analysing, and enhancing the effectiveness of audit processes. They offer
auditors advanced tools to handle large volumes of data, conduct real-time evaluations, and
provide better assurance on governance, risk, and controls.
 I. Overview: Why Use Computers in Auditing?
Traditional Auditing Computer-Aided Auditing

Manual sampling Full population testing

Time-consuming Efficient and fast

High risk of error Reduced human error

Limited scope Comprehensive data analysis

Hard to analyse trends Advanced analytics and visualization

II. Use of Computers in Internal Audit

Internal audit focuses on evaluating and improving risk management, control, and
governance processes within an organization.

1. Risk Assessment and Planning

• How Computers Help:

o Use of risk mapping software to assess organizational risks.

o Analyse historical data to identify high-risk areas.

o Prioritize audit resources using risk matrices.

• Tools: SAP GRC, Teammates+, ACL Analytics, Excel-based models.

2. Data Analysis and Testing (Computer-Assisted Audit Techniques – CAATs)

• How Computers Help:

o Analyse complete datasets (not just samples).

o Identify anomalies, duplicates, and outliers.

o Run audit scripts to check compliance and policy adherence.

• Examples:

o Detecting duplicate vendor payments.

o Checking employee records against blacklists.

• Tools: ACL, IDEA, Power BI, Tableau, SQL.

3. Process and Transaction Monitoring

• How Computers Help:

o Continuous monitoring of key controls and transactions.

o Automatic alerts for breaches of thresholds (e.g., unusual purchase orders).

• Example:

o Flagging purchases above $50,000 without approval.

• Benefit: Enables real-time auditing and preventive controls.

4. Workflow Automation and Documentation

• How Computers Help:

o Automate audit planning, fieldwork, reporting, and follow-up.

o Maintain digital audit trails.

o Auto-generate reports and dashboards.

• Tools: Audit Board, teammate+, Microsoft SharePoint.

5. Remote/Online Auditing

• How Computers Help:

o Access data remotely through secure systems.

o Conduct virtual interviews and walkthroughs.

o Use shared platforms for document review and collaboration.

• Benefit: Enables auditing during emergencies (e.g., pandemics).

III. Use of Computers in Management Audit

Management audit evaluates the efficiency and effectiveness of managerial processes,
strategies, and performance. Computers enhance this by providing insights, simulations, and
trend analyses.

1. Performance Analysis
 • How Computers Help:

o Analyse KPIs, ROI, ROA, inventory turnover, etc.

o Generate visual dashboards for performance monitoring.

• Example:

o Compare actual vs. budgeted performance for departments.

• Tools: Power BI, Tableau, SAP BusinessObjects.

2. Strategic Decision Evaluation

• How Computers Help:

o Model "what-if" scenarios using simulation software.

o Forecast the impact of managerial decisions on profitability or market share.

• Tools: Excel (with macros), @Risk (for risk analysis), IBM SPSS.

3. Cost and Profitability Analysis

• How Computers Help:

o Perform activity-based costing (ABC) using accounting software.

o Segment profitability by product, region, or customer.

• Example:

o Identifying loss-making product lines for corrective action.

• Tools: SAP ERP, QuickBooks, Oracle Financials.

4. Resource Utilization Review

• How Computers Help:

o Analyse usage of labour, capital, and materials.

o Detect idle resources or inefficiencies.

• Example:
 o Under-utilized manufacturing capacity identified via production data.

• Benefit: Helps in optimizing operations and reducing waste.

5. Benchmarking and Best Practices Comparison

• How Computers Help:

o Compare internal data with industry benchmarks.

o Use online databases and software tools for standard comparisons.

• Tools: Gartner Benchmarking Tools, Bloomberg Terminal.

IV. Benefits of Using Computers in Auditing

Benefit Explanation

Efficiency Speeds up audits and allows more coverage in less time.

Accuracy Reduces human error and increases reliability of findings.

Data-Driven Enables objective, evidence-based conclusions.

Real-Time Monitoring Allows continuous audit of live systems.

Scalability Handles large volumes of data easily.

Improved Reporting Automated visualizations and customized audit reports.

V. Challenges and Considerations

Challenge Explanation

Cost of software/tools Some audit platforms and licenses are expensive.

Skill requirements Auditors must be trained in data analytics and IT tools.

Data privacy and access Handling confidential data requires strong controls.

System integration Accessing data from multiple ERP systems may be complex.

Cybersecurity risks Audit tools must be secure to avoid introducing vulnerabilities.

 Test Packs and Computerized Audit Programs –
As organizations increasingly rely on computerized systems, auditors have adopted
automated tools and structured techniques to ensure the accuracy, reliability, and integrity
of electronic data. Two important methods in computer auditing are:

1. Test Packs

2. Computerized Audit Programs (CAPs)

These tools help auditors evaluate system logic, test internal controls, and verify the
correctness of output produced by EDP (Electronic Data Processing) systems.

I. Test Packs

Definition:

A Test Pack is a set of predetermined, controlled input transactions created by an auditor to

test the functionality and logic of a computer application system. These transactions are
processed through the system, and the output is compared with the auditor's expected
results to detect any inconsistencies or errors.

Purpose:

• To verify that application controls (like input validation, processing logic, and output
accuracy) are working correctly.

• To test how the system handles normal, boundary, and exceptional transactions.

Components of a Test Pack:

1. Test Data – Sample transactions (valid and invalid) prepared by the auditor.

2. Expected Results – What the system should produce after processing the test data.

3. Actual Results – The output generated by the system.

4. Variance Analysis – A comparison between expected and actual results.

Examples of Test Pack Transactions:

• Valid Input: A purchase order with correct item codes and within budget.

• Invalid Input: A negative invoice amount or an unauthorized customer ID.

• Boundary Conditions: Maximum allowable discount or transaction limit.

How Test Packs Are Used:

1. The auditor feeds test data into the system.

 2. The system processes these transactions like real data.

3. The output is captured and compared with the expected results.

4. Discrepancies are analysed to identify errors in the application logic or control

weaknesses.

Advantages:

• Tests the actual application system in a live-like environment.

• Effective in detecting logical flaws or control failures.

• Provides repeatable and objective testing procedures.

Limitations:

• Requires access to the system (live or test environment).

• Inserting test data into live systems can risk data pollution if not managed properly.

• Needs thorough documentation and control over test cases.

II. Computerized Audit Programs (CAPs)

Definition:

A Computerized Audit Program is an automated set of instructions or scripts developed to

perform specific audit tasks such as data extraction, analysis, control testing, and reporting.
These are often built using audit software like ACL, IDEA, Excel VBA, SQL, or custom-built
routines.

Purpose:

• To automate routine audit procedures.

• To increase the efficiency, coverage, and reliability of the audit process.

• To support both internal audits and external audits involving electronic systems.

Features of CAPs:

• Automates test of controls (e.g., segregation of duties, user access).

• Performs analytical reviews (e.g., trend analysis, ratio analysis).

• Extracts and tests 100% of data, not just samples.

• Supports continuous auditing through scheduled tasks.

Examples of Computerized Audit Program Tasks:

 Task Example

Data Extraction Import all sales invoices for a given month from the ERP.

Duplicate Testing Identify duplicate vendor payments or employee IDs.

Exception Reporting List transactions over $50,000 without approval.

Ratio Analysis Calculate gross margin ratio by product line.

Matching Reconcile general ledger with subledger balances.

Advantages:

• Fast and efficient handling of large data sets.

• Ensures consistent and repeatable audit procedures.

• Reduces manual errors.

• Enhances coverage (e.g., full population testing instead of samples).

• Facilitates real-time auditing and dashboards.

Limitations:

• Requires technical expertise in audit software or scripting.

• Initial setup time can be high.

• May require integration with client systems.

• Risk of relying on flawed logic if scripts are not tested thoroughly.

Comparison: Test Packs vs Computerized Audit Programs

Feature Test Packs Computerized Audit Programs

Purpose Test application logic and controls Automate and perform audit
procedures

Input Predefined test data Actual system data

Output Expected vs actual results Analytical reports, exception lists,

logs

Environment Often test environment Can be live or test environment

 Skill Knowledge of application Knowledge of audit tools, scripting
Required

Risk Data contamination if used on live Logic flaws if scripts are incorrect
system

Best Use Validating system processing Performing high-volume data

accuracy audits

Best Practices for Use

For Test Packs:

• Use a sandbox or test environment (not live data).

• Document test data and expected outcomes clearly.

• Include edge cases and invalid data to test control limits.

For Computerized Audit Programs:

• Validate and test scripts before use.

• Maintain audit trails and logs of each run.

• Protect access to scripts to avoid unauthorized changes.

• Regularly update programs as systems and controls evolve.

Involvement of the Auditor at the Time of Setting Up

the Computer System – In Detail

When an organization is in the process of setting up a computerized system, especially for

financial, operational, or management information processing, the involvement of the
auditor (internal or external) is essential. The auditor's role is not to design or implement
the system, but to provide independent oversight, risk identification, and control
evaluation to ensure the system meets standards of accountability, accuracy, security, and
auditability.
I. Objectives of Auditor's Involvement

• Ensure adequate internal controls are designed into the system.

• Ensure data integrity, confidentiality, and availability are addressed.

• Ensure compliance with legal, regulatory, and accounting standards.

• Help management in evaluating the system’s risk areas.

• Ensure the system is auditable after implementation.

II. Stages of System Development Where Auditor is Involved

Auditor involvement is important in each stage of the System Development Life Cycle
(SDLC).

1. Feasibility Study and Planning Stage

Auditor's Role:

• Review the cost-benefit analysis and feasibility reports.

• Evaluate whether system objectives align with business goals.

• Advise on the regulatory, legal, and compliance implications of system choices.

• Assess risk factors like data security, change management, and fraud vulnerability.

Contribution:

• Ensures risks are considered early.

• Identifies potential audit and control challenges.

2. System Design Stage

Auditor's Role:

• Review logical design of the system including:

o Input controls

o Processing controls

o Output controls

o Error detection and correction routines

• Check segregation of duties in system roles and access.

 • Evaluate the audit trail design (how transactions will be logged and monitored).

Contribution:

• Ensures system includes built-in internal controls.

• Prevents costly retrofits after implementation.

3. Development and Programming Stage

Auditor's Role:

• Ensure there is a formal change control process in place.

• Evaluate whether programming standards are followed.

• Review test plans and procedures.

• Ensure that sensitive data is masked or encrypted during testing.

Contribution:

• Reduces risk of logic errors, unauthorized changes, and incomplete testing.

• Encourages documentation for audit readiness.

4. System Testing Stage

Auditor's Role:

• Observe or participate in system testing and user acceptance testing (UAT).

• Review test results for accuracy and completeness.

• Use test data to verify that the system produces expected results.

• Confirm that exception handling and control features work correctly.

Contribution:

• Validates that the system performs as intended and is ready for production.

• Ensures that audit objectives are not compromised.

5. Implementation Stage

Auditor's Role:

• Review data migration process from old system to new system.

 • Ensure parallel runs are performed and compared.

• Confirm user access rights are correctly set up.

• Check whether system backup and recovery plans are in place and tested.

Contribution:

• Ensures a smooth and secure transition with minimal disruption and no data loss.

• Verifies controls are active and operational from Day 1.

6. Post-Implementation Review

Auditor's Role:

• Conduct a post-implementation audit to assess:

o Whether system objectives are achieved.

o If controls are working as expected.

o Any gaps or weaknesses needing remediation.

• Provide recommendations for control improvements or efficiency gains.

Contribution:

• Helps fine-tune the system.

• Informs future system changes or upgrades.

II. Areas of Auditor Evaluation

Area What the Auditor Checks

Input Controls Data validation, authorization of entries

Processing Controls Sequence checks, logic verification

Output Controls Report accuracy, restricted distribution

Access Controls Role-based access, password policies

Audit Trails Logs of user actions, transaction history

Error Handling Notification, correction, logging of errors

Data Backup Frequency, completeness, restoration ability

 Security Protection against data breaches and system attacks

Compliance Alignment with laws (e.g., SOX, GDPR, Income Tax, GST)

Documentation System specs, user manuals, control records

IV. Benefits of Auditor Involvement

• Early detection of control deficiencies.

• Enhances system reliability and trustworthiness.

• Supports regulatory compliance and reduces audit risks.

• Avoids costly post-implementation fixes.

• Promotes transparency and accountability in system use.

V. Limitations / Considerations

• The auditor must avoid becoming part of the system development team (to maintain
independence).

• Auditor involvement should be advisory, not decision-making.

• Management retains the responsibility for system adequacy and security.

Conclusion

The involvement of the auditor during the setup of a computer system is a proactive control
measure that ensures the system is robust, secure, auditable, and aligned with internal
control frameworks. Their role supports both financial integrity and operational
effectiveness by embedding controls and safeguards at every step of the system
development process.