INFORMATION SYSTEM AUDIT AND MANAGEMENTAUDIT

Study Note – 9
INFORMATION SYSTEM AUDIT AND MANAGEMENTAUDIT

This study note includes -

● Information System Audit

X Information System Audit
X Computer Auditing
X Computer Information System & Enviornment
X Computer Information System and Internal Control
X Audit Risks
X Steps in an Audit
X Computer Assisted Audit Techniques
X AAS - 29 -Auditing in a Computerised Information System (CIS)
X Audit in the case of EDI
X Audit in case of E - Commerce Environment
X Audit in Online system Environment
X Audit in the case of Environment of personal computer
X Audit in case of data processing.
● Introduction To Managemant Audit
X Definition
X Need
X Scope
X Management Audit Process
X Advantages of Management Audit
X Limitations of Management Audit

9.1. INFORMATION SYSTEM AUDIT

Formerly the information system audit was called as Electronic Data processing (EDP)
audit. Information System Audit is also known as Informational Technology Audit.

The information technology audit was introduced in mid 1960 and has gone through

B 178 AUDITING
numerous changes due to advance in technology and the incorporation of technology into
business.

(A) Information System Audit

When it is an information technology audit the auditor is required to have a detailed

knowledge of information system and alongwith a general understanding of accounting.

System

System means the instramentality that combines interrelated interacting artifact designed
to work as a coherent entity.

Information- It is a knowledge derived from study, experience or instruction in simple

words. Information is message received and understood.

Information system or Information Technology Audit

It is an examination of the control within an information technology infrastructure. These

receivers may be performed in conjuction with a financial statement audit, internal audit
or other from of attestation engagement. This is a process of collecting and evaluating evidence
of an organisations information systems practices and operations. The evaluation of obtained
evidence determines if the information system are safeguarding assets, maintaining data
integrity and operating effectively and efficiently to achieve the organisation’s goals or
objective. The information technology audit is also known as automated data processing
(ADP) audit and computer audit.

Purpose

An I.T. audit is not entirely similar to that of a financial statment audit. An evaluation of
internal control may or may not take place in an I.T. audit. Reliance on internal control is
a unique characterstic of a financial audit. An evaluation of internal controls is neccessary
in a financial audit., to place reliance as on internal control and therefore substantially
reduce the amount of testing neccessary to form an opinion regarding financial statment
of the company. An I.T. audit may take the form of a “Central control review” or an
“Application control review’’. The review of different control measures by using different
audit tools to examine system programming and data central procedure in order to
determine the efficiency of computer operation, such as data base central, Encryption tools,
fire wall tools, forensic tools, NEWS, NMAP, steganography tools, VOIP tools, Wardriving
tools, WEP cracking tools, Wireless tools etc.

Regarding the protection of information assets, one purpose of I.T. audit is to review and evduate
an organisations information system availability, confidentiality and integrity by answering
question like -

(1) Will the organisations computer system be available for the business of all times when
requried (Availability)

AUDITING B 179
INFORMATION SYSTEM AUDIT AND MANAGEMENTAUDIT

(2) Will the information in the system be disclosed only to authorised users (Contidentiality)

Approach

There are three systematic approaches to carry out an I.T. audit which are -

(a) Technological Innovation Process Audit :

The aim of this approach is to construct a risk profile for existing and new project by
asserting the length and depth of company experience in it

(b) Innovative Comparison Audit :

(c) Technological Position Audit -

This review the technologies needed by the business and places them in one of the four
categories of base, key , packing and emerging

Types of I.T. Audit

(1) System and Application

An audit to verity that system and application are appropriate, efficient and adequately
controlled ensure valid, reliably , timely and secure, input, processing and output at
all levels of a system activity

(2) Information Processing Facilities

An audit to verify that this processing facility is controlled to ensure timely, accurate and
effiecient processing of applications under normal and potentially disruptive conditions.

(3) Systems Development

An audit to verify that the system under development meet the objectives of the
organisation and to ensure that the systems are developed in accordance vith generally
accepted standards for system development.

(4) Management of I.T. and Enterprise Architecture

An audit to verify that I.T. management has developed an organisational structure

and procedures to ensure a controlled and efficient environment for information
processing.

(5) Client

Tele communicator, lnternets, Extranets

An audit to verity that controls are in place on the client, server and on the network
connecting the client and server.

B 180 AUDITING
As in case of other audits, the IT audit process too take the following basic steps -
(1) Planning 2) Studying and Evaluating control 3) Testing of evaluating control 4) Reports
5) Follow up.

(B) Computer Auditing

In information processed on computers the one way of auditing is to get the printouts of
all records, accounts and information and then check it as usual , but this is very time
consuming and cannot evaluate the system internal controls and certain errors found etc,
remains undetected. The other more acceptable way is to evaluate the controls in the
computer information system and then decides the nature timing and extent of the
substantive procedure to be followed and makes use of computer in conducting compliance
tests as well as substantive test, but and the auditor must have sufficient knowledge of
computer system even in certain of cases specialised skills in operations of computer system.

(C) Computer Information System

The computer information system environments may be diffrent in cases of diffrent

computer system used and there are certain common features of all computer information
systems environment, like.

Organisation Structure :-The organisation structure includes knowledge, programme, data

& different kinds of jobs at one place.

Nature of processing : Sometimes without having any document as a base, some particulars
transactions like interest directly credited to particular account by the system it self as per
the programme instruction. Apparently in computerised accounting unlike manual
accounting the transaction trials are not available but auditor can find it in machine readble
from. Unless appropriate control are installed, there is a great possibility of authorised
access to the computer system. Unless appropriate control are installed the data can be
accessed and altered through terminls from remote locations.

Designs : The computer information system work more consistently because computer
performs exactly according to its program. A program can incorporate automatic checks,
which locate abnormal transactions and get included in areport to be reviewed by the
concerned officer. Password techniques is used to avoid unauthorised access. A Single
transaction entered in the system automatically makes entry in all related records. The
program installed in the system, initiate particular transaction on its own. The program
and data is stored on hard disc or any other portable media like CD, floppy etc. which can
face intentional or accidental destruction.

D) Computer Information System And Internal Controls

An auditor is concerned with the control from the point of view of authenticity, accuracy,
completeness, assets safeguarding etc. Though the internal control in computer information

AUDITING B 181
INFORMATION SYSTEM AUDIT AND MANAGEMENTAUDIT

system are based on the principles same as those followed in manual system which means
the system of authorisation system and allotment of duties etc. are determined on the
same basis as in the manual system.

Some of these controls are as under -

(1) Password - This control is used to identify the person before the computer information
system starts processing the task. This control assures that the data fed in to and the
processing done by the computer information system are authorised.

2) Edit Test - Edit test, Financial control test etc. help in correct data entry and the accurate
processing by the computer information system.

3) Batch Cancellation Stamp - This control keeps check on the processing of data only
once and the repetition is avoided.

4) Financial Control Total - Along with edit test, this control helps in savings while of
the data and complete processing of the data.

5) File Liabraries - File libraries, locks on computer installation etc. are used to safeguard
the computer information system from destruction and corruption.

6) Audit Trails - Ensures that all those record and process are maintained within the
system from which financial statment are derived.

7) General Control - There control establish overall control an all of the activities of
computer information system. These controls include a) Organisational Control b)
System & Documentation Control c) Acess Control d) Hardware Control e) Procedural
Control etc.

(8) Application Controls - Over and above general control, control over the application
of the computer information system is very important. These controls include a) Input
control b) Processing control and c) Output control

The Auditor should evaluate the above control measures to ascertain the effects of them on the
system. A clear audit trial assists the auditor to audit on it, allows the Auditor to trace the
transaction from input to output data.The proper electronic trial helps in tracing the transaction
properly.

E) Audit Risks :

Information System Auditor is concerned with following objectives-

(a) Asset Safeguarding
(b) Data Integrity
(c) System Effectiveness
(d) System Efficiency

B 182 AUDITING
Auditor for he collects necessary evidences to assess whether the audit achieves the above
objectives, but due to the nature of verification, auditor might fail to detect real material losses
or errors. To reduce this risk the appropriate audit approach is selected and is designed
accordingly. The American institute of certified public Accountants in 1988 to determined the
level of audit risk to be adopted by using the following ‘Risk-Model’.

Desired audit risk - Internal risk X Control risk X Detection risk.

Internal risks represent the material loss or errors existing in some segment of the audit,
before the reliability of internal controls is considered.

Control risk means the likelihood of internal controls in some part of audit can not present,
detect or correct the material losses or errors.

Detection risk means the audit procedures used in some part of audit will fail to detect the
material losses or errors.

While applying this model auditor select his level and desired audit risks, along with that
he assures the short term and long term consequences upon the Auditor of the material
losses and errors, he fails to detect. Afterwards, an auditor considers the internal risk in
which he takes into consideration the nature of organization, the industry in which it operates
the nature of management and accounting system and application systems. To evaluate the
level of control risk, auditor considers the reliability of management and application controls,
which include management controls which cover all the application systems and if it is
absent it is a serious concern for the auditor. Lastly, auditor calculates the level of detection
risk and for that he designs procedures for evidence collection on the basis of his
understanding of how likely this procedure is to detect the existing material losses and errors
and while designing the audit procedure he must ensure that it is properly executed. In
short, the audit risk model is an effort focused on the areas where the auditor has the highest
payoffs, in most cases he cannot collect sufficient evidence and hence he must be clear in
mind in terms of where he applies this audit procedure and how he interprets the evidence.
Auditor, throughout the audit, makes decisions on what to do next and his notions of
materiality and audit risk guides him in making the decision.

(F) Steps in an Audit

After understanding the importance of system factoring to reduce complexity, the nature of
audit risks and its consequences, the types of audit procedure, auditor can carry out actual
audit as shown in the following flowchart as the approach advocated by the American Institute
of Certified Public Accountants in 1990.

AUDITING B 183
INFORMATION SYSTEM AUDIT AND MANAGEMENTAUDIT

Start

Preliminary audit work

Understanding of control systems

Evaluation of control systems

Rely on controls

Test of controls

Re-assess control risk

Extended
Substantive
Still rely on controls Test

Increase reliance on control limited Form audit

Substantive opinion and
Test issue report

Stop

B 184 AUDITING
Both external and internal auditors will follow the above approach, the decisions they take at
each step may vary because of having different rules like internal auditors may spend more
time than the external auditors in testing controls as they are more concerned with the efficiency
of the controls.

(G) Computer Assisted Audit Technique (CAAT)

Computer assisted audit technique uses computer to process the information, required for
audit, stored in the auditee’s information system. This technique is used for testing general
controls and application controls and also for substantive procedures. This technique is also
helpful in getting data from auditee’s record as well as for analytical procedures. The institute
of Chartered Accountants of India’s guidance note states that this technique will enhance the
effectiveness and efficiency of the audit procedure.

According to ICAI’s guidance note, the auditor must have expertise and experience in executing
and using the results of the computer assisted audit technique. Before applying this technique
auditor should get reasonable assurance of its integrity, reliability, usefulness and security
through appropriate planning, designing, processing and review of documentation. He should
see that this technique is properly controlled. Auditor should maintain sufficient documents
describing the application of the technique and regarding planning, execution, inputs,
processing, output, source code, technical information about the auditee’s accounting system,
audit evidence and suggestions, if any, for use of the technique in future etc. Auditor should
make necessary arrangements for data files to minimize the effect on auditee’s routine activities.

Different computer assisted audit techniques available are as under-

a. Test data
b. Integrated Test Facility
c. Audit Software
d. Audit Automation
e. Core Image Comparison
f. Data Base Analysis
g. Embedded Code
h. Log Analyzers
i. Mapping
j. Modeling
k. Online Testing
l. Program Code Analysis
m. Program Library Analyzers
n. Snapshots

AUDITING B 185
INFORMATION SYSTEM AUDIT AND MANAGEMENTAUDIT

o. Source Comparison
p. Tracing

(H) AAS 29 – Auditing in Computer Information Systems

(Approach to Information Systems Audit)

The Auditing and Assurance standard 29, issued by the ICA of India, explains the procedure,
how to conduct the audit in the computerized environment. It clearly states that the overall
objective and scope of audit is not different in computer information system environment but
the use of computer changes the processing, storage, retrieval and communication of financial
information and also affects the accounting system as well as internal control system used by
the auditee. The CIS environment may affect-

a. The procedures followed by the auditor in obtaining a sufficient understanding of the

accounting and internal control system.
b. The auditor’s evaluation of internal risk and control risk through which the auditor assesses
the audit risk.
c. The auditor’s design and performance of tests of control and substantive procedures
appropriate to meet the audit objective.

The auditor should consider the following to determine the effects of computer information
system environment on the audit-

a. The extent to which CIS environment is used to record, compile and analyze accounting
information.
b. The system of internal control in existence in the entity with regard to-

1. Flow of authorized, correct and complete data to the processing centre.

2. Processing, analyzing and reporting tasks undertaken in the installation
c. The impact of computer based accounting system on the audit trial that could otherwise
be expected to exist in an entirely manual system.

The auditor should have sufficient knowledge of the computer information systems to plan,
direct, supervise, control and review the work preformed. The sufficiency of knowledge would
depend on the nature and extent of the CIS environment. The auditor should consider whether
any specialized CIS skills are needed in the conduct of the audit. These specialized skills are
needed to-

a. Obtain sufficient understanding of the effects of the CIS environment on accounting and
internal control systems.
b. Determine the effect of the CIS environment on the assessment of overall audit risk and of
risk at the account balance and class of transaction level.

B 186 AUDITING
c. Design and perform appropriate tests of control and substantive procedures.
The auditor should make an assessment of inherent and control risks for material financial
statement assertions, in accordance with AAS 6 (revised), “Risk Assessment and Internal
Control”.

The inherent risks and control risks in a CIS environment may have both a pervasive effect and
an account-specific effect on the likelihood of material misstatements, as follows:

(a) The risks may result from deficiencies in pervasive CIS activities such as program
development and maintenance, system software support, operations, physical CIS security,
and control over access to special-privilege utility programs. These deficiencies would
tend to have a pervasive impact on all application systems that are processed on the
computer.

(b) The risks may increase the potential for errors or fraudulent activities in specific
applications, in specific databases or master files, or in specific processing activities. For
example, errors are not uncommon in systems that perform complex logic or calculations,
or that must deal with many different exception conditions. Systems that control cash
disbursement or other liquid assets are susceptible to fraudulent actions by users or by
CIS personnel.

As new CIS technologies emerge for data processing, they are frequently employed by clients
to build increasingly complex computer systems that may include micro-to –mainframe links,
distributed databases, end-user processing, and business management systems that feed
information directly into accounting systems. Such systems increase the overall sophistication
of computer information systems and the complexity of the specific applications that they affect.
As a result, they may increase risk and require further consideration.

In accordance with AAS 6, “Risk Assessment and Internal Control”, the auditor should
consider the CIS environment in designing audit procedures to reduce audit to an acceptably
low level.

He should make enquiries and particularly satisfy himself whether:

(a) Adequate procedures exist to ensure that the data transmitted is correct and complete.

(b) Cross-verification of records, reconciliation statements and control systems between

primary and subsidiary ledgers do exist and are operative and that accuracy of computer
complied records are not assumed.

The auditor’s specific audit objectives do not change whether accounting data is processed
manually or by computer. However, the methods of applying audit procedures to gather
evidence may be influenced by the methods of computing process. The auditor can use manual
audit procedures, or computer-assisted techniques, or a combination of both to obtain sufficient
applications, it may be difficult or impossible for the auditor to obtain certain data for inspection,
inquiry, or confirmation without computer assistance.

AUDITING B 187
INFORMATION SYSTEM AUDIT AND MANAGEMENTAUDIT

The auditor should document the audit plan, the nature, timing and extent of audit procedures
performed and the conclusions drawn from the evidence obtained. In an audit in CIS
environment, some of the audit evidence may be in electronic form. The auditor should
satisfy himself that such evidence is adequately and safely stored and is retrievable in its
entirety as and when required.

(I) Audit In The Case of Electronic Data Interchange (EDI)

EDI means transfer of structured data between organizations in electronics form. This is widely
used in western countries and expected to grow in India too within a very short period. This
transfer is done on the basis of certain accepted standards having legal base, like EDI FACT
standard. Audit in such situations really requires advanced knowledge of computers. To
establish the authenticity of the data exchange and also of the parties exchanging data the
digital signatures are used, in this case it is extremely difficult to forge digital signature. These
signatures are created and verified by the computer programs. The Information Act, 2000 has
laid down legal framework for digital signature and electronic records.

Auditor, with usual procedures, should give consideration to the following aspects while
auditing in case of electronic data interchange environment:

(a) There should be detailed and clear cut agreement for electronic data interchange, between
the concerned parties. There should be clear provision for ordering, delivery, acceptance,
rejection of interchange of electronic data. It is also clearly mentioned in the agreement
that the supply of electronic data through this interchange system shall have the same
effect on an ordinary supply made on the basis of a purchase order.

(b) There should be full proof controls in the system to avoid modifications in the data by
third party while the data interchanged is in transit and for encryption, i.e. mixing of data
and making it unreadable to third party, is used and the receiver can decrypt the data for
his use.

(c) Due to the in built control in the EDI system the recipient acknowledges the receipt of the
data and in his confirmation certain key information of original data is repeated.

(d) The parties exchange the logs frequently and used for logging the receipted and sent data,
this proves helpful and nobody can deny the receipt or transmission of data.

(e) To avoid adverse effect on the business due to failure of hardware, proper controls for
contingency planning are introduced in the EDI system.

(J) Audit in the Case of E-commerce Environment

E-Commerce denotes the buying and selling transactions through internet using computers. It
may pose certain difficulties in accounting, revenue recognition etc, while accounting in such
e-commerce environment, an auditor should consider the following guidelines contained in
the International Auditing Practical Statement-

B 188 AUDITING
(i) Evaluate the changes in the auditee’s business environment as an effect of e-commerce.
(ii) Examine the business risk affecting the Balance Sheet due to e-commerce transactions.
(iii) The officers including chief information officer are enquired to get the real picture of e-
commerce and its effect on the state of affairs of the auditee.
(iv) Evaluate the extent of risk addressed by the auditor due to use of e-commerce.
(v) In case the auditee is using services of an Internet Service Provider, certain records of such
service providers relating to the auditee be asked for and verified.
(vi) Measure the risk involved in e-commerce transactions in the case of use of public network.
(vii) See whether appropriate accounting policy is adopted for recording development costs
and revenue recognition.
(viii) Verify the non compliances of taxation and legal matters in the case of international e-
commerce.
(ix) Verify the controls established to reduce the risk associated with e-commerce trasactions.
(x) Verify the efficiency of physical, logical and technical controls established for authorization,
authenticity, confidentiality, security for information etc. e.g. passwords, firewalls,
encryption etc.
(xi) Evaluate the reliability of the system to check the completeness, accuracy, timeliness and
authorization of information.
(xii) See that adequate controls regarding validation of input, prevention of transactions to be
omitted or duplicated, acceptance of terms of agreement before order processing, prevention
of acceptance of order if all steps are not completed by the customer, ensuring proper
distribution of transaction details across multiple systems in a network and ensuring the
retention of backup and security of the related record.

(K) Audit in Online System Environment

In online computer system the data stored on a central computer can be used by number of
persons through the number of terminals. In some organizations distribution system is used
where in computers are distributed throughout the network and data processed at various
stages. In some online systems, computer files are updated to give immediate effect to the
transactions entered through terminals; this is called as online real-time system. The controls
used in such systems depend upon the specific hardware and software used.

The auditor, while auditing in such environment should consider the following points

(i) He should get acquainted with the computer network, entry points from other organizations
and for collecting the network diagram.
(ii) He should review the network control system.
(iii) He should verify whether proper control measures are in use to avoid unauthorized
transactions, unauthorized changing in the data or program.

AUDITING B 189
INFORMATION SYSTEM AUDIT AND MANAGEMENTAUDIT

(iv) He should review the internal controls as source documents are not available for every
transaction, processing results are not available in printed form, and the reports required
by the auditor are many times not available in printed form.
(v) He should see into the procedures to ensure proper authorization of data fed into the
computer.
(vi) He should insist upon the retaining of important links in audit trials.
(vii) He should verify the effectiveness of separating the transactions accounting period-wise
to avoid confusion in the situation of overflow of online transactions.
(viii) He should see that proper measures like establishment of appropriate controls to detect
and correct line errors, cryptographic controls etc. are introduced in the system effectively
to avoid the loss of data by accident or corruption.
(ix) He should test the sample transaction derived at random from the addition of audit
instructions to the programs used in data processing for continuous monitoring the system.

(L) Audit in the Case of Environment of Personal Computer

The environment where in personal computers are used is different from the environment
where in large computers are in use and that is why auditor has to adopt different approach to
audit in such environment. According to the guideline issued by International Federation of
Accountants, the auditor has to consider following points while conducting audit in such
environment of personal computers:

(i) He should understand that P.C.s generally do not have controls as many as those in large
computers, the program and data can be saved on portable media like C.D.s and also on
hard disk. The storage media is prone to accident. Portable storage media are also subject
to damage or theft or misplacement.
(ii) He should know that inadequate control measures can create serious problems like theft
or alteration of data due to unauthorized use of P.C.
(iii) He should see whether proper controls are introduced to avoid unauthorized use of P.C.s,
downloading data, improper documentation, improper use of storage capacity etc.
(iv) He should ensure that software are not subject to manipulation.
(v) He should examine the control procedure like cross checking the results, testing of
application programs, documentation of processed data, and range test of data to strengthen
the software and data integrity.
(vi) He should verify whether proper arrangement is made for back up copies of all data and
important programs.
(vii) He should concentrate on substantive tests and not waste his time in detailed examining
of the computer information system’s controls effectiveness.
(viii) He should use computer assisted audit techniques
(ix) He should examine larger samples of transactions

B 190 AUDITING
(x) He should verify the effectiveness of different control measures utilized and report about
that.

(M) Audit in the Case of Data Processing through Computer Service Centers

Small organizations get their data processed through computer service centers due to their
incapability of investing huge amount in establishing the computer systems. In this case the
organization provides documents to service center, which processes it and hands over the final
output documents.

In such circumstances auditor should:

(i) Follow the provisions laid down in Auditing and Assurance Standard 24.
(ii) Verify that the vendor is reliable and suitable having the skills, experience and
reputation.
(iii) Evaluate the suitability of the contracted terms with regard to fixed cost, variable cost, the
scope & timing of audit activities, the service center’s responsibility in terms of maintaining
data integrity and providing suitable back up and recovery.
(iv) Check the compliance with the terms of contract.
(v) Seek to ensure that his ability to collect and evaluate evidence in relation to the attainment
of the objectives of outsourcing is not inhibited.

The Impact on auditing is as follows

(i) Wide spread end user computing could sometimes result in unintentional errors creeping
into systems owning to inexperienced persons being involved. Also co-ordinated program
modifications may not be possible.
(ii) Improper use of decision support systems can have serious repercussions. Also their
underlying assumptions must be clearly documented.
(iii) Auditor’s participation to a limited extent in systems development may become inevitable
to ensure that adequate controls are built in.
(iv) Usage of sophisticated audit software would become a necessity,since conventional
methods of auditing would no longer be sufficient.
(v) The move towards paperless electronic data interchange would eliminate much of the
traditional audit trail, radically changing the nature of audit evidence.

The rapid advancements in information technology would no doubt have a dramatic impact -
on auditing. Auditors must adapt themselves to the changing environment much and acquire
necessary additional skills.

AUDITING B 191
INFORMATION SYSTEM AUDIT AND MANAGEMENTAUDIT

9.2. INTRODUCTION TO MANAGEMENT AUDIT

(A) Definition
Management audit is the audit to examine, review and appraise the different policies of the
management on the basis of certain prescribed standards. It is not like a traditional audit but is
a comprehensive and critical review of all aspects of management performance.

“The Management Audit may be more specifically defined as being an investigation of a business
from the highest level downwards in order to ascertain whether sound management prevails
throughout, thus facilitating the most effective relationship with the outside world and the
most efficient organization and smooth running internally”- Taylor and Perry.

“The Management Audit is an informed and constructive analysis, evaluation and series of
recommendations regarding the broad spectrum of plans, process people and problems of an
economic entity”- Camp Field.

“The Management Audit may be defined as a comprehensive and constructive examination of

an organization structure of a company, institution or branch of Government or any component
thereof, such as a division, or department, and its plan and objectives, its means of operation
and its use of human and physical facilities.”- William P. Leenard.

In short the Management Audit is a forward looking audit. It emphasizes on problem

identification rather than problem solving, it pinpoints the areas requiring attention of
management, it evaluates the existence of well defined objectives and examines whether policies
are consistent with objectives and understood properly at all functional levels, it goes far behind
the areas of financial accounting and cost accounting, it seeks to review, appraise and evaluate
the corporate plans and policies based on certain standards of objectivity. Though this type of
audit is made mandatory in Sweden and USA, it is yet to take appropriate momentum in India.

(B) Need of Management Audit

The following are the circumstances wherein the management audit is useful-

(i) To overcome the human limitations of Top Management.

(ii) To improve the management’s production.
(iii) Circumstances of corporate planning deficiencies, organization’s structured defects,
ineffective management control system etc. warrants the necessity of management audit.
(iv) In the circumstances of acquisition of another business entity, the acquiring organization
needs to evaluate financial aspects, technical aspects and management aspects and analysis
of these aspects takes the form of management audit.
(v) Society at large likes to be assured that the top and middle level management discharge
their functions efficiently and to the best advantage to the society, the management audit
satisfy the different interest of groups like customers, employees, citizens, government

B 192 AUDITING
 etc. of the society and also guide the management in the application of scientific methods
of business management for social well being.
(vi) The statutory financial audit is generally annual and concerned with the past without
having any forward approach. Statutory financial audit and internal audit along with
statutory cost audit are essentially legalistic in terms of time given for its completion and
nature of certification fails to provide the insight to the management in regard to
unsuitability of structure to meet the entity’s needs, poor leadership, inability to make
decisions, poor vision and the enlightened managers realizes this fact and feels the need of
management audit to identify the problems and guidance to overcome them.
(vii) Foreign collaborators, while investing in other organizations feel the necessity of
management audit to ensure that the funds invested are to be used properly for growth
and expansion.
(viii) Financial institutions conduct the management audit, while participating in equities of a
company to avoid possible losses arising from inefficient management.
(ix) Company itself feels the need of management audit to assess its managers’ performances
and link an incentive system to the results of such assessment.
(x) While advancing loans, banks like to get the management audit conducted.

(C) Scope of Management Audit

The scope of management audit can be as broad as the management process itself. It is concerned
with the whole field of activities of a business concern from top to bottom of a management
hierarchy. Management audit concerns with the appraisal of management policies, methods
and performance, it includes review and appraisal of an organization to determine 1) Better
means of control. 2) Greater improved methods. 3) More efficient operations. 4) Greater use of
human and physical facilities and 5) Waste and deficiencies.

(D) Management Audit Process

Fundamentally the activities to be undertaken by management auditor in its review of material

management, production management, industrial engineering management, sales management,
financial management, general administration etc. include-

(i) Collection and analysis of relevant statistics and reports used by the management.

(ii) Establishment of priorities for various functional activities to be reviewed.

(iii) Interviews and meetings with the senior, middle and supervisory management levels in
order to ascertain 1) How plans are developed. 2) How resources are controlled and 3)
How performances are evaluated.

AUDITING B 193
INFORMATION SYSTEM AUDIT AND MANAGEMENTAUDIT

Who can conduct the management audit?

The management audit can be conducted by-

(A) Company Talent- Which may include-

1) An administrative staff.
2) An audit committee.

3) An officer on special duty. These personnel have sufficient knowledge of operations

and talent necessary for the study, have no vested interest and are acceptable to other
persons responsible for the area.

(B) Outside Management Consultants- Who may be chartered accountants, cost accountants
or management consultants having no vested interest in the company management, having
no loyalty to any individual in the organization, having an impartial and objective approach,
having wide range of specialties, have already developed the skill to carry on management
audit.

(C) Company Talent as well as Management Consultants- Considering the prevailing

circumstances in a company a combination of company talent and outside management
consultants would be a best team to conduct the management audit. The advantages of
each compliment the other.

Whoever maybe appointed as management auditor, should possess the following qualities-
(i) Ability to understand the problems of the business.
(ii) General understanding as to nature and objects of the organization.
(iii) Expert knowledge of the principles of delegation of authority, management by objectives,
management by exception, management control, budgetary control, internal control, flow
charts, use of computers etc.
(iv) Sufficient knowledge and experience in preparing different reports for presentation to the
different levels of management including top management.
(v) Background of engineering, costing, statistics, management accounting, financial
accounting, industrial psychology, managerial economics etc.
(vi) General understanding of different laws and regulations like company laws, tax laws, etc.
(vii) Tactfulness, perseverance, pleasing & dynamic personality.

(E) Advantages of Management Audit-

(i) The company’s personnel know the organizational policies, plans, personnel operations,

B 194 AUDITING
 personalities and working relationships, the political climate, the functional importance,
and some of the problems themselves.
(ii) The audit team need not spend an unduly long time for familiarizing themselves with the
background information for study.
(iii) It may be easier to get the support of the higher management, because such audit in the
form of self-appraisal apparently involves no extra cost.
(iv) The acceptance of the findings may be comparatively easier because the concerned
personnel may readily accept the recommendations from the internal management audit
team (consisting of co-workers) than from the external management auditors (or
consultants).
(v) The implementation of the new method of operation or organizational arrangement may
be easier because the personnel who designed and advised it are on the premises. The
constant co-operation necessary in the implementation phase are greatly facilitated.
(vi) The experience and expertise gained by the company personnel in the conduct of
management by self-appraisal could be gainfully utilized for subsequent audits.

(F) Limitation of Management Audit

(i) The company personnel possess experience limited only to their organization. The company
might have faced difficulties and constraints due to limited experience of the company
personnel.
(ii) They are more likely to take facts for granted and may not probe into the details to unearth
problems.
(iii) There may be a tendency to suppress unfavorable facts relating to some of the fellow
personnel.
(iv) The company may not have the talent necessary to conduct such management audit
involving complicated studies.
(v) It may not be possible for the company to spare personnel for the studies as these may take
long time.
(vi) It may be possible, due to conflicting interests that the audit work may be prolonged and
as a result, the action on findings and recommendations may be delayed.
(vii) The vested interests of the operational executives may prevent the management audit
team from being objective.
(viii) In a management audit scheme, the areas of investigation should fruitfully cover the
entire management system, and so the situation demands the audit team to complete the
studies under a time constraint- which may result in not covering some of the important
appraisal areas.

AUDITING B 195
INFORMATION SYSTEM AUDIT AND MANAGEMENTAUDIT

ACID TEST
(1) State whether following statements are true or false:

a. When information system audit is an information technology audit, the auditor is

required to have the detailed knowledge of accounting rather than information system.
b. Information system audit is the audit of the accounting controls.
c. At the time of preparing information system audit program, auditor must understand
the system.
d. Audit in the case of Electronic Data Exchange is a difficult task.
e. Auditor should test check controls established to reduce the risk associated with e-
commerce transactions.
(2) What is information system audit? Explain the audit procedure in system audit to determine
the material losses.
(3) Define computer information system audit and explain the nature of risks and internal
control characteristics in CIS environment.
(4) Write short notes on-
a. Types of IT audit
b. System audit
c. Computer audit
d. Input controls
e. Processing controls
f. AAS-29
(5) What is computer assisted audit technique? Explain the different computer assisted
techniques available.
(6) What is CIS audit? Explain its application in case of E-commerce.
(7) Explain:
a) Audit in online system environment.
b) Audit in case of environment of personal computer.
(8) Define management audit. Discuss need of management audit.
(9) What are the advantages and limitation of management Audit?

B 196 AUDITING