AUDITING IN COMPUTER ENVIRONMENT

Introduction:
• Computer environment will exist whenever the
accounting system is computerised.
• Modern accounting system use computers to process
data and prepare financial reports.
• Computerised systems are much quicker and more
accurate than manual systems.
• Auditors use computers to apply audit procedure when
gathering audit evidence on which to base the audit
opinion.
• There are a variety of packages that auditors can use
to carry out audit interrogation of computerised
systems.
 Nature and types of computerised
accounting system

There are three basic types of computerised

systems namely:
• Batch processing
• Online processing and
• Real time processing
 Batch processing

• Transactions are stored together and

processed as one batch of input.
• The routines, which need to be performed,
are performed in one rather than several
operations.
 Online systems

They have facilities for data to be passed to

and from the central computer via a
remote terminal
 Real-time systems
• This is a further development of online systems.
• It permits immediate updating of computer held files.
• The data input and file update phases are merged and the
system accepts individual transactions rather than batches of
data. (master files are updated instantly).
• Transaction can be input as they arise.
• An example of the online real-time system is that operated by
the airlines with their airline ticket booking system.
• When a passenger wants a ticket, the booking clerk will
interrogate the master file for that particular flight and the
computers will reply how many seats are available. If there are
seats available the clerk will book the number of tickets
required and the master file will be updated immediately. The
next time the record is accessed the current up to date number
of seats available will be displayed.
 Features of a computerised system
• Controls are concentrated in the computer
department.
• The accounting records are held on magnetic media
and they are not in a human readable format.
• They lack of primary records
• Data is encoded
• There is loss of audit trail.
• Important data may be overwritten
• Program controls may be important to ensure
completeness and accuracy of accounting.
• There is need for computers literacy skills.
• Concentration of controls in the computer department
 Concentration of controls in the computer
department

• The need to standardise procedures and utilise

computer resources economically, efficiently and
effectively has led to concentration of controls in the
computer department.
• Such concentration may lead to deliberate corruption
of data which other departments are unaware.
• Most computer users minimise this danger by adopting
control procedure, which apportion responsibilities and
allow users from other departments to check the
accuracy and completeness of all processing.
• At the planning stage the auditor should establish
reliability and adequacy of the controls.
 Lack of primary records
• In some systems conventional daybooks and
originating documents will not be maintained.
• In online systems the operator may receive an
order by telephone and use a terminal to key in
relevant data immediately.
• The system creates despatch and customer file.
• The auditor would be unable to trace these
transactions back to originating documents.
• Such problem should be considered at the time
the system is designed and ensure computer
generated reports are provided and carefully
reviewed by management.
 Encoded data

• There is always a danger of transposition errors

arising at the encoding stage.
• The audit procedure ensures there is
procedures to check errors
• Such include checking digits, data validation.
 Loss of audit trail

• Modern systems are usually designed to limit the

volume of printed data.
• Control is implemented by exception reporting
principles so that printouts of magnetically stored data
are not available.
• The auditor is therefore unable to trace a document
from originating document to financial statement.
• The auditor must assess the implication of this at the
planning stage and use computer assisted audit
techniques CAAT’s to obtain appropriate evidence that
controls are functioning as described and they are
adequate.
 Overwriting data

• When data is stored in a magnetic tape or disk

it will eventually be overwritten with new data.
• The auditor will need to plan audit testing and
ensure that appropriate data is available to him.
 Program controls

• The auditor must test the controls and satisfy

himself they are adequate and working as
described.
• To do this he will have to use computer
assisted audit techniques.
• As the client regularly amends the program
controls, old programs may be overwritten and
hence unavailable during the audit. The auditor
must regularly test and review the program
controls and rely on them.
 Need for specialist experts

Need for specialist experts

• As computers are extensively
belonging used in audits, auditors are
required to be computer experts. Since all
auditors cannot be computer experts,
auditors may use computer specialists.
 CONTROLS IN COMPUTER
ENVIRONMENT
• To ensure objectives in the computer
department are achieved, management
should have a clear overall policy on the
use of computers.
 A computer policy should include
• Commitment to information security and
physical back up. Use of file directors,
passwords, hidden files.
• Information accessing procedures i.e.
password, data protection and data distribution.
• Supervision by senior management.
• Environmental protection
• Anti virus checks
• Training
• Documentation standards
• Error correction procedures
 Internal controls in information
communication technology (ICT)

• Basically the internal controls for a

computerised accounting system are
similar to those found in a manual
accounting system.
• They fall under two categories.
Application control
General controls
 Application controls

• These controls are concerned with the

completeness, accuracy and authorisation
of inputs, processing and outputs.
• They are also concerned with
maintenance of mater files and the
standing data contained there in.
 Application controls

• These controls are concerned with the

completeness, accuracy and authorisation
of inputs, processing and outputs.
• They are also concerned with
maintenance of master files and the
standing data contained there in.
 Application controls are divided into four
groups:

• Input controls
• Processing controls
• Output controls and
• Master file controls
 Input controls:

• The key words to remember for input

controls are: completeness, accuracy and
authorisation.
 Completeness controls:

• These ensure that all data is processed and

none is omitted.
• Typical completeness controls include:
Pre numbering documents and
performing sequence checks.
Documents counts, and
Performance of one for one checks i.e.
checking each document processed against
the input forms.
 Accuracy controls

Accuracy controls ensure that all data, is processed,

accurately.
Typical accuracy controls include:
• Programmes check on data fields for value, reference
number, date
• Digit verification reference numbers are all approved.
• Reasonable test e.g. VAT to total value.
• Existence checks (e.g. customer name)
• Character checks (no unexpected characters used in
reference)
• Permitted range (no transaction processed over a certain
value).
 Authorisation controls

• These controls ensure that authorised

personnel carried out-processing.
• Someone may check the documents and
sign them thus approving them for
processing.
 Processing controls:

Processing controls:
Controls are built into programs to validate
data. The validation routines are called data
vet routines and
: would include the following
controls:
 Batch total reconciliation

• The computer checks the details of the

batch documents and compare them
with the information to the batch header
form.
• Check digit verification i.e. reference
numbers are as approved.
 Master file matching

• This involves checking the validity of the

account number etc by matching it against
the respective account on mater file.
 Accuracy controls

• Accuracy controls ensure that all data, which is

processed, is processed accurately.
• Typical accuracy controls include:
• Programmes check on data fields for value,
reference number, date
 Authorisation controls

• These controls ensure that authorised

personnel carried out-processing.
• Someone may check the documents and
sign them thus approving them for
processing.
 PROCESSING CONTROLS

Controls are built into programs to validate

data. The validation routines are called
data vet routines and would include the
following controls:
 Batch total reconciliation

• The computer checks the details of the

batch documents and compare them
with the information to the batch header
form.
 digit verification

• Check digit verification i.e. reference

numbers are as approved.
 Master file matching

• This involves checking the validity of the account

number etc by matching it against the respective
account on mater file.
• Sequence number-checks.
 Reasonableness

• Pre defined constraints can be

programmed into the computers to ensure
that data is valid e.g. purchases in excess
of shs.500,000,000 can be listed for
mammal approval at a higher level.
 Range check

• Valid parameters are defined i.e. discount

rates should range from 5% to 10%.
 Predefined format:

• The computer is programmed to accept data in a

predefined format e.g. Account name, Account numbers,
name and address credit limit and discount rate etc. The
computer will reject any transaction (input that is not in
that format).
 CONTROL OVER OUT PUTS:

These include:
• Batch controls
Computer compares batch form information with
expected results.
• Completeness -checking the outputs against the
inputs
• Distribution of output
Inputs should have name of the recipient.
• Exception reports
Concerned with information management of
transactions which are abnormal
 MASTER FILE CONTROLS

• Master files in a computer contains standing data (data

which is unlikely to change very much) i.e. account
number, credit limits, discount rates etc.
• Mater files may also contain transaction data (data that
is variable and is likely to change e.g. amount of
invoices, cash received.
• In order to process data on a computer system, the
master file has to correctly be set up and must be up to
date. It is important that controls over the updating or
amending of master file accounts are adequately
controlled.
 Typical master file controls are

Authorisations:
Amending of data in the master file should
be authorised by a responsible official.
 File balancing

These should be control totals over the number of

records on a file and the total value outstanding
transactions on a file.
Example of file balancing controls
Position as at the beginning xx
Additions xx
xx
Subtractions (xx)
Balance carried forward xx
This control summary can either be computer
produced or manually produced.
 Verification (one to one checking)

• This entails regularly printing out the

contents of a master file for manual
verification e.g. accuracy of discount rates.
 Back up

Copies of files are stored together with

necessary update transactions so that
manual verification e.g. accuracy of
discount rates.
 Cyclical reviews

• All master files and standing data should

be reviewed after a reasonable time of say
1½ year.
 GENERAL CONTROLS

• These controls relate to the whole computer

department.
• These include physical controls, physical locks,
access to data and programs, passwords system
development controls, maintenance controls
programming controls and transaction logs.
• The objective of such controls is to ensure:
There is integrity of development and implementation
of application packages.
Computer hardware, programs and data files are
protected.
 Typical general controls are

• System development controls

• Program changes controls
• Continuity controls:
System development controls
• To ensure developments are authorised.
• To ensure proper standards are followed during
development.
• To ensure changes are tested and documented.
• Ensure there are testing procedures.
• Ensure there is full documentation of all procedures
and programs.
• Ensure before implementation programs have to be
approved by users.
• Ensure internal audit is involved.
• Ensure there is segregation of duties between
development and operation
 Program changes controls:
Controls should ensure:
• Those carrying out the changes are trained and
supervised.
• Changes are authorised.
• Changes are documented.
• There is password protection to prevent
unauthorised access.
• There are back up programs.
• Files are physically protected.
• There are rotation of duties.
• There is thorough testing.
 Continuity controls:

• Back up procedures.
• Standby arrangements.
• Testing back up arrangements.
• Protection against fire and theft.
• Maintenance agreements.
• Insurance
• Copy files.
 Computer assisted audit techniques
CAATs

• These are techniques that use the

computer as an audit tool to apply audit
procedures when auditing computerised
systems.
• There are two main types of computer
assisted audit techniques CAAT’s.
These are:
Audit software and
Test data.
 Audit software
• These are computer programmes used by
the auditor to examine the enterprises
computer files
• Audit software is divided into:
Generalised audit software
Specialized audit software and
Utility programmes and existing entity
programmes.
 Generalised audit software
• These are package computer programmes
designed to perform a variety of data
processing functions including:
• Reading computer files
• Selecting desired information
• Perform calculations and
• Print reports in a format specified by the
auditor.
 Specialized audit software
These are computer programmes designed to
perform specific tasks in specific
circumstances.
• They are prepared by the auditor, by the entity
or by an outside programme engaged by the
auditor.
• The auditor should participate in defining and
reviewing the objectives, supervising their
development, amending and testing.
 Utility programmes and existing
programmes

• These are programmes used by the entity

to perform common data processing
functions including:
a) Sorting
b) Creating and printing computer files
• They are not designed for audit purposes.
• They are existing entity programmes in
their original or modified state.
 Test data
• Test data is defined as data used by the auditor for
computer processing to test the operation of the
enterprises computer programs.
• Sample data is fed into the EDP system and
processed using the programme being tested. The
results obtained are compared with pre- determined
results.
• For example:
• Test data developed by the auditor to test specific
controls in computer programmes such as online
password and data access controls.
• A “dummy” unit i.e. a department or employee is
established to which test transactions are posted
during normal processing.
 Advantages of CAAT

• CAATs are the only effective way of testing

programmed controls.
• Use of CAATs will enable the auditor to test a larger
number of items quickly and more accurately and
therefore increase his confidence on his opinion.
• CAATs provides a better test of the accounting system
(tapes, disks) rather than relying on testing print outs
from the system.
• Once set up CAATs will be cost effective provided the
system is not changed regularly.
• Carefully planned uses of CAATs may increase the
auditor’s confidence, as the results will be compared
with manually obtained evidence.
 Controls in small computer systems

• In a small computer system controls are inadequate

and ineffective.
• There is unrestricted access to terminals or data.
• There are no division of duties. The same persons
may be responsible for preparing inputs, processing
data and distributing outputs. Similarly the
programmers may be doing operators responsibilities.
• The system may not be fully documented i.e.
programs and program amendments may be
undocumented.
• Data and programs may be lost on conversion.
• There are no application and general controls.
• There is lack of audit trail.
 Controls that may be implemented in small
computer systems:
• A specific person should be nominated to use
terminals.
• The computer room should always be locked and
access limited to authorised personnel only.
Passwords should be used to protect data files and
programs.
• Logs should be maintained to record the use of
terminals and attempt to gain unauthorised access.
• Maintaining of control totals hash total and document
count to avoid loss of data.
• A senior staff should supervise the junior.
• Program changes should be supervised.
 Limitation of controls
• They become obsolete, as they don’t
accommodate growth and changes in
technology.
• The benefits are outweighed by costs.
• Controls concentrate on routine transactions
and not on none routine such as accidents and
one off the year-end.
• The potential for human error, drunkenness.
• The potential for collusion to defeat the
controls.
• The abuse of authority and over ride the
controls in the armed forces where orders are
first obeyed.
 E- commerce (electronic commerce)

• E-commerce is defined as conducting business

over the internet electronically.
• E- commerce avoids the paper-based method
and uses EDI or electronic data interchange
method to exchange documents such as
invoices between computers that have
compatible hardware and software. Receipts,
invoices and other forms may be filled and
transmitted electronically. Money is transferred
through credit card transfers, which use the
secure electronic transmission. SET, which is
an extension of EDI.
 E- commerce risks
Doing business electronically using ICT is risky.
The risks associated with E- commerce include:
• System breakdown:
If the ICT system breakdown all business information
may be lost thus having going concern implications.
• Viruses:
Viruses can destroy important data and programs
thus having going concern implications.
• Failure of internet service provided thus leading to
loss of business and important business information.
• Confidentiality problem.
Hackers may get access to commercially sensitive
information and use it to destroy the firm
commercially.
 E- commerce risks
• Integrity
Data may be corrupted, illegally duplicated or lost
when held electronically.
• Health and safety
Continuous exposure to computer screen may injure
the employees’ health and lead to actions of damages.
• Non compliance with the law
Many countries have enacted data protection law. If
business organizations don’t comply with the law they
may be fined.
• Tight competition
The web is a universal information provider including
marketing and production information such information
will make competition tougher.
 E- commerce risks
• Fraud
ICT experts commit fraud that may pass undetected.
May misuse the complexity of ICT systems.
• Money Laundering
Money laundering is enhanced by modern ICT
systems.
• Lack of audit trail
An individual transaction cannot be traced through the
system from originating documents to financial
statements, as there is no visible evidence.
• Lack of appropriate technical skills
Few staff are ICT experts as such they can conduct
effective E- commerce.
 Steps to reduce e-commerce risks.

• To be aware of the risks, risk assessment has to be carried out.

• There should be a good control environment owned by the
board of directors and all the employees.
• There should be national e-commerce standards, which should
be observed by the organization staff.
• There should be an efficient and effective internal audit
department that have e-commerce skills.
• Having system access controls such as passwords and
physical security.
• Using encryptions.
• Having back up for data and e-commerce chains.
• Having well designed websites that are up-to-date and can be
navigated quickly.
• Maintaining audit trails i.e. it should be possible to retrieve and
review audit trails/logs on demand.
 The web trust
• The web trust is a registered organization that ensures that
those companies that use their seal (web trust seal) of approval
meet the criteria for electronic commerce.
• The web trusts is an organization of licensed accountants who
confirm that the disclosure on the website and the controls
operated by the business do meet the web trust criteria. The
web trust accredit their clients by allowing them to use their seal
which is renewed after every three months of an audit by the
web trust.
• The web trust gives assurance to consumers of services
provided over the Internet (e- commerce) that:
-The firms doing business are reputable.
-Credit card fraud cannot be committed by any of the parties
to electronic business.
-Goods will be received.
-Unsuitable or damaged goods are returnable.
-Personal details will be kept confidential.
 Conducting an e-commerce audit – things to
observe.
• Ensure that there is a technical expert in the firm.
• Decide whether to accept the audit engagement.
• Availability of resources and skills.
• Compliance with standards and the law.
• Assign staff with appropriate technical experts to the
audit.
• Obtain very detailed knowledge of the particular audit.
• Assess the overall control environment.
• Examine and assess the specific on-line and real time
processing controls.
• Laise and assess the internal audit department.
• Pay special attention to going concern.