Chapter 3 with added info

Auditing

Data Management Systems

Chapter 3 with added info

• electronic method of sending documents between companies

• no “paper trail” for the auditor to follow• increased emphasis on front-end controls• security becomes key element in

controlling system

Challenges of Sophisticated Computer Systems

Challenges of Sophisticated Computer Systems

1. Responsibility for control2. Information system meets needs of entity3. Efficient implementation of information systems4. Efficient and effective maintenance of

information systems5. Effective and efficient development and

acquisition of information systems6. Present and future requirements of users can be

met7. Efficient and effective use of resources within

information systems processing

Objectives of General Controls

8. Complete, accurate and timely processing of authorized information systems

9. Appropriate segregation of incompatible functions

10. All access to information and information systems is authorized

11. Hardware facilities are physically protected from unauthorized access, loss or damage

12. Recovery and resumption of information systems processing

13. Maintenance and recovery of critical user activities

Objectives of General Controls

Input Controls

• input data should be authorized & approved

• the system should edit the input data & prevent errors

• Examples include: validity checks, field checks, reasonableness check, record counts etc.

assure thatdata entered intothe system are

processed, processedonly once, and

processed accurately

Processing Controls

Examples control, batch, or proof total - a total of a

numerical field for all the records of a batch that normally would be added (example: wages expense)

logic test - ensures against illogical combinations of information (example: a salaried em-ployee does not report hours worked)

Processing Controls

Output Controls

assure thatdata generated by

the system are valid,accurate, complete,and distributed to

authorized persons inappropriate quantities

1. Design application controls with regard to: - segregation of incompatible functions - security - development - processing of information systems2. Information provided by the systems is: - complete - accurate - authorized3. Existence of adequate management trails

Objectives of Application Controls

There are two general approaches to auditing EDP systems:

1. Auditing “around” the computer involves extensive testing of the inputs and outputs of the EDP system and little or no testing of processing or computer hardware.

This approach involves no tests of thecomputer programs and no auditor useof the computer.

1. Auditing “around” the computer depends on a visible, traceable, hard

copy audit trail made of manually prepared and computer-prepared documents.

There are two general approaches to auditing EDP systems:

2. Auditing with use of the computer involves extensive testing of computer hardware and software.

There are two general approaches to auditing EDP systems:

1. Test data involves auditor preparation of a series of fictitious transactions; many of those transactions will contain intentional errors. The auditor examines the results and determines whether the errors were detected by the client’s

system.

Techniques for auditingwith use of the computer

What are the shortcomings of the use of test data?

- possibility of accidental integration of fictitious and actual data- preparation of test data that examines all aspects of the application is difficult- the auditor must make sure that the program being tested is the one actually used in routine processing

• 2. Parallel simulation

techniques for auditingwith use of the computer

- the auditor writes a computer program that replicates part of the client’s system

- the auditor’s program is used to process actual client data

- the results from the auditor’s program and that of the client’s routine processing are compared

Auditing Software

Generalized audit software involves the use of auditor programs, client data, and auditor hardware. The primary advantage of GAS is that the client data can be down-loaded into the auditor’s system and manipulated in a variety of ways.

Common Audit Software Functions

- verifying extensions and footings- examining records- comparing data on separate files - summarizing or re-sequencing data and performing analyses- comparing data obtained through other audit procedures with company records- selecting audit samples- printing confirmation requests

Differences with Computer Processing

• Audit trails are different than with manual accounting systems

• Portions of audit trails may be temporary or never exist

• Processing is more uniform• Computer may initiate and complete

transactions• Greater potential for fraud

Impact of Computers on Planning

• Extent to which computers are used• Complexity of computer operations• Organizational structure of computer

operations• Availability of data• Use of CAATs• Need for specialized skills by auditor

Audit Alternatives

• Continuous (Electronic) Auditing

• Auditing Around the Computer

• Auditing Through the Computer

• Non-concurrent (after-the-fact) auditing

– Can be used for tests of transactions and balances (substantive tests)

– Can be used to test the effectiveness of controls at various times in the past

– Recent SAS pronouncements reduce applicability of non-concurrent auditing

Audit Alternatives

• Concurrent auditing provides greater information about the effectiveness of controls

– Special audit test records can be used to examine system effectiveness

– Embedded audit modules collect, process and report audit evidence as it is processed by the system

SAS No. 80

• In entities where significant information is transmitted, processed, maintained, or accessed electronically, the auditor may determine that it is not practical or possible to reduce detection risk to an acceptable level by performing only substantive tests for one or more financial statement assertions.

SAS No. 80

• Due to the short-term nature of electronic data, the auditor should consider the time during which information exists or is available in determining the nature, timing and extent of his tests

SAS No. 94

• “The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit”

• Amends SAS No. 55 – “Consideration of Internal Control in a Financial Statement Audit”

• SAS No. 94 does NOT change the requirement that the auditor obtain a sufficient understanding of internal control to plan the audit

SAS No. 94

• SAS No. 94 acknowledges that IT use presents benefits as well as risks to an entity’s internal control

• The auditor should expect to encounter IT systems and electronic records rather than paper documents

• An entity’s IT use may be so significant that the quality of the audit evidence available to the auditor will depend on the controls that business maintains over its accuracy and completeness

SAS No. 94

• As companies rely more and more on IT systems and controls, auditors will need to adopt new testing strategies to obtain evidence that controls are effective

• An auditor might need specialized skills to determine the effect of IT on the audit

• In some instances, the auditor may need the skills of a specialist

Areas of Audit Focus

• Auditing computer programs

• Auditing computer processing

• Auditing computer files and databases

Auditing Computer Programs

• Non-processing of data– Program logic flowchart verification– Program code checking– Examination of job accounting and

control information– Review printouts

Non-concurrent Auditing

• The Black Box Approach (still allowed?)– Must be able to locate copies of source

documents for transactions and the accounting reports resulting from those transactions

– Must be able to read the source documents and reports without the aid of the client’s computer

– Auditor must assess a low level of risk on controls external to EDP

• Must trace transactions from the source documents (cradle) to the accounting reports (grave) and from the reports back to the source documents

Black Box Approach

Document with errorDocumentDocument

Source Documents

Document with errorDocumentDocument

Output Reports

Computer (Black Box)

Manual Verification

Need for Concurrent Auditing

• Disappearing paper-based audit trail• Continuous monitoring required by

advanced systems• Increasing difficulty of performing

transaction walkthroughs• Presence of entropy (disorder) in

systems• Outsourced and distributed IS• Increased interorganizational IS (EDI)

Categories: General Application

Specific Types of Controls:

• Organization and Operation

• Systems Development and Documentation

• Hardware and Systems Software

• Access• Data and Procedural

• Input• Processing• Output

Nature: Pertain to EDP environment and all EDP activities

Pertain to specific EDP tasks

EDP Controls

Errors and Irregularities Necessary Control Procedures

INPUTValid data are incorrectly converted to machine-sensible form.

Properly converted input is lost, duplicated or distorted during handling.Detected erroneous data are not corrected and resubmitted for processing.

Verification controlsComputer editingBatch controlsData control group monitoringTransmittal controlsControl totalsError logsData control group monitoring

PROCESSESSINGThe wrong files are processed and updated.Processing errors are made on valid input data.Illogical or unreasonable input is processed.

External file labelsInternal file labelsControl totalsLimit and reasonableness tests

OUTPUTOutput may be incorrect because of processing errors.Output may be incorrect because file revisions are unauthorized or approved changes are not made.Output is distributed to unauthorized users.

Output control totals

Periodic comparisons of file data with source documents

Data control group monitoringReport distribution control sheet

Tests of Controls Techniques

• Auditing Around the Computer—Manually processing selected transactions and comparing results to computer output

• Auditing Through the Computer—Computer assisted techniques– Test Decks—Processing dummy transactions

and records with errors and exceptions to see that program controls are operating

Tests of Controls Techniques

– Controlled Programs—Processing real and test data with a copy of the client’s program under the auditors’ control

– Program Analysis Techniques—The examination of a computer generated flowchart of the client’s program to test the program’s logic

– Tagging and Tracing Transactions—Examination of computer generated details of the steps in processing “tagged” transactions

Tests of Controls Techniques

– Integrated Test Facility—A system that processes test data simultaneously with real transactions to allow the system to be constantly monitored

– Parallel Simulation—The use of an auditor-written program to process client data and comparison of its output to the output generated by the client’s program

Auditors’ Test Data

Client’s Program

Computer Processing

Computer Results

Auditors’ Predetermined

Results

should

match

System Concept of Parallel Simulation

“Live” system

Simulated system

TransactionsMaster file

Simulated output

“Live” file

Comparison

Exceptions

Source: W.C. Mair, “New Techniques in Computer Program Verification,” Tempo (Touche Ross & Co., Winter 1971-72), p. 14.

Parallel Simulation

Input Transaction File

Input Master File

Output Master File

Output Master File

System Application

Parallel Simulation

Generalized Audit

Software

Discrepancies

Types of Concurrent Auditing

• Testing real data– Tracing transactions– Snapshot/extended record (EAM)– System Control Audit Review File

(SCARF)• Testing simulated data

– Test deck approach– Integrated test facility (ITF)

Auditing Using Client’s Computer- Tracing Real Data

• Provides direct confirmation that controls functioned as prescribed

• Weaknesses of approach

–Actual transactions selected may not trigger all of the controls- in fact, finding actual transactions to test every control may not be possible

–May be disruptive to client’s operation

Auditing using Client’s Computer-Tracing Real Data

• Weaknesses, continued

–Difficult to verify that program tested is program normally used

–Difficult to verify that procedures used during test are procedures normally employed

–Auditor needs to understand IT operations

• Strengths

–Auditor can reduce substantially the number of records that have to be processed (one record can test several controls)

–Permits testing of every control

Auditing using Client’s Computer-Using Simulated Data

• Weaknesses–Only those conditions known to

exist can be tested–Same program and procedures

questions as in processing real data

–Removal of simulated data from client's records

Auditing using Client’s Computer-Using Simulated Data

• Verify that no amounts, accounts, or transaction types are omitted

• Verify pricing, extensions, and other valuation procedures

• Verify account coding and classification• Verify proper time period recording• Test subsidiary records footing and

reconciliation to control account balances

Auditing using Client’s Computer-Using Simulated Data

Auditing using Client’s Computer-Using Simulated Data

• Test data or test record approach

–Simulated data is controlled and processed separately from real data

–Output is compared to auditor-calculated output

Auditing using Client’s Computer-Using Simulated Data

• Integrated test facility (ITF)

–Simulated data is assigned a special code to distinguish it from real data

–Simulated data is integrated with real data and processed in normal course of business

–Weakness - simulated data may be processed differently than real data

Generalized Audit Software

• Off-the-shelf software that allows examination of client data on auditor’s computer

• Information systems vary widely between clients– Hardware and software environments– Data structures– Record formats– Processing functions

Generalized Audit Software

• GAS developed specifically to accommodate a wide variety of hardware and software platforms

• Allows auditor to quickly modify audit approach as audit objectives change

• Allows auditors relatively unskilled in computer systems to audit effectively in an electronic environment

Functional Capabilities of GAS

• File access• File reorganization (sorting and

merging)• Filtering (Boolean operators: =, >=, <=,

<>, AND, OR, etc.)• Statistical (sample selections)• Arithmetic• Stratification• File creation• Reporting

Available CAATs

• CA-Easytrieve (Computer Associates)– Works in UNIX or LAN (primarily mainframes)– Uses a background language similar to COBOL

• SAS– Statistical analysis– Data mining

• ACL• IDEA

Electronic Workpapers

• Electronic working papers– Standardizes audit forms and formats– Improves quality and consistency – Coordinates efforts– Can centralize management efforts

Centralized Vs Distributed Systems

• Some activities should remain centralized• DDP is more expensive but can add

efficiencies over straight client-server approach

• Data can be distributed in different ways• May raise security issues• Auditor must question how each site is

secured• DDP may be partitioned or replicated• DDP requires concurrency control

End Ch 3