Audit Theory Chapter26 (The Computer Environment)

 Data processing – simply collecting, processing and distributing of information to

achieve a desired result.
 EDP system or computer system –when the machine is an electronic digital computer.
 Every computer system is designed to perform specific types of operations. The
operations performed by:
 Hardware – the physical components of the system
 Software –computer programs
 Central processing unit (CPU) – is the principal hardware component of computer
 Central processing unit consists of :
 Main storage unit (memory) – is used temporarily stores programs and data
processing.
 Arithmetic and logic unit – (additions, subtractions, multiplication and
division), comparison and other types of data transformation are accomplished
by arithmetic and logic unit. Computer main storage – the data and
instructions needed for the operation.
 Control unit- regulates the activities of the other units and devices by
retrieving machine language instructions from the main storage units then
interpreting the instructions.
 Input devices – permits the computer to receive both data and instructions for processing.
 Output devices – returns information from the computer to the user.
 Software – is a series of programs or routines that provides instructions for operating the
computer,
 The two broad categories of computer software:
 Application programs – designed to accomplish specific objectives of the
user.
 System software- which operate the computer system and perform routine
tasks of users.
 Machine language (object language or object code) - which is used in the early days of
computers.
 Today the programming in English- like language such as COBOL (Common Business
Oriented Language) and RPG (Report Program Generator) is made possible by an
element of software known as compiler.
 Compiler – are programs that translate the application programs written in COBOL, RPG
or other high languages known as source code.
 Important elements of systems software are :
 Operating systems- it is also known as “control programs”, “executives” or
“supervisor”
 Utilities- are program or group of programs designed to perform commonly
encountered data handling functions
 Computer installations- are the facilities where the computer hardware and personnel are
located.
 Categories of computer installations:
 In house or captive computer
 Service bureau computer
 Time-sharing
 Facilities management
 The Unique Characteristics of Specific EDP System
 Batch processing – is a common type of EDP system
 Direct random access processing – the data is processed as the transactions
occur and are entered into systems and transaction can be input in any order.
 Data base processing – most difficult EDP system to understand.
- Is a set of interconnected files that users can access to
obtain specific information
- Is dependent on an on-line real-time (OLRT) EDP
system.
 Small computer environments- the segregation of duties becomes difficult
because one individual may perform all recordkeeping as well as maintain
other non- recordkeeping responsibilities.
  Services bureau/center – are independent computer centers from which
companies rent computer time
 Distributed systems-represents a network of remote computer sites having a
small computer connected to the main computer system.
 The emphasis of controls shifts from batch- type controls to OLRT-type controls includes
the following:
 User department
 Access controls
 Backup and recovery
 Database administrator
 Audit software
 The emphasis of small computer environment should center around the following points:

 Security
 Verification of processing
 Personnel

 Certain controls should be maintained at both the user and the service bureau locations
 Contract
 Processing verification
 Backup and recovery
 Time sharing systems

 Controls in a distributed system

 Audit unit
 Segregation
 Uniform standards
 Computers may effect changes in the accounting system, includes the following:
 Documents are not maintained in readable form
 Processing of transaction is more consistent
 Duties are consolidated
 Reports can be generated easily
 Major types of Computer Fraud
 Salami techniques – are modified to inappropriately round off calculations to
the benefit of the fraud perpetrator.
 Trojan horse- typically are designed to wait until a specific time, when they
act and then erase all evidence of their existence.
 Virus programs- are programs with unauthorized information or instructions
and they can spread by the electronic transfer of information between systems
or the physical exchange of media.
 Trapdoors – are unauthorized entry points into programs or databases an can
change data or instructions without approval.
Audit Theory Chapter 27 (Internal Control in the Computer Information System)

 The auditors responsibilities with respects to internal control over EDP systems remains
the same as with the manual systems, that is to obtain an understanding adequate:
 To aid planning the remainder of the audit
 To assess control risk
 Internal controls over EDP activities often are classified as:
 General controls
 Application controls
 General controls relate to all EDP applications includes such considerations:
 The organization of the EDP department
 Procedures for documenting, testing and approving the original system and any
subsequent changers
 Controls built into the hardware
 Security of files and equipment
 General controls –are controls that affect multiple application systems.
 Five categories of general controls are presented in the AICPA audit guide:
 Organization and operations control
 Systems development and documentation controls
 Hardware and systems software controls
 Access controls
 Data and procedural controls
 Controls of organizational and operation controls
 Segregate functions between the EDP department and user departments
 Do not allow the EDP department to initiate or authorize transactions
 Segregate functions within the EDP department
 System analyst- responsible for analyzing the present user environment and requirement:
 Recommending the specific changes which can be made
 Recommending the purchase of a new system
 Designing a new EDP system
 System flowchart – is one tool used by the analyst to define the system requirement.
 Application programmer- is responsible for writing; testing and debugging the
application programs form the specifications.
 Program flowchart- is one tool used by the application programmer to define the program
logic.
 System programmer- is responsible for implementing, modifying , and debugging the
software necessary for making the hardware work
 Operator- is responsible for the daily computer operations of both the hardware and
software.
 Data librarian- is responsible for the custody of the removable media and for the
maintenance of program and system documentation.
 Quality assurance- is a relatively new function established primarily to ensure that new
systems under development and old systems being changed are adequately controlled.
 Control group- acts as a liaison between users and processing center and records the input
data in a control log.
 Data security- is responsible for maintain the integrity of the on-line access control
security software.
 Database administrator- is responsible for maintain the database and restricting access to
the database to authorize personnel.
 Network technician- is fast becoming the most powerful position in a MIS environment.
 Control In System development and documentation controls
 User departments must participate in system design.
 Both users and EDP personnel must test new systems.
 Proper documentation standards should exist to assurance continuity of the system.
 Design methodology- all new system being developed should flow through a
documented process that has specific controls points
 Change controls process- change on a system that is presently operating, a formal change
process should exist that requires formal approval before any change is implemented.
 Controls in hardware and system software controls
 The auditor should be aware of control features inherent in the computer hardware,
operating system and other supporting software.
 System software should be subjected to the same control procedures as those applied
to installation of and changes to application programs.
 Parity check- a special bit is added to each character stored in memory that can detect if
the hardware loses a bit.
 Echo check- primarily used in telecommunications transmissions.
 Diagnostic routines- hardware or software supplied by the manufacturer to check the
internal operation and devices within the computer system.
 Boundary Protection- to ensure that the simultaneous jobs cannot destroy or change the
allocated memory of another job.
 Periodic maintenance – the system should be examined periodically by a qualified service
technician.
 Controls in Access Controls
 Access to programs documentation should be limited to those persons who require it
in the performance of their duties.
 Access to data files and programs should be limited to those individuals authorize to
process data.
 Access to computer hardware should be limited to authorized individuals.
 Physicals access controls
 Limited physical access – the physical facility that houses EPDP equipment, files and
documentation should have controls to limit access only to authorized and individual.
 Visitor entry logs- any individual entering a secure area must be either pre-approved
by management and wearing an ID badge or authorized by an appropriate individual.
 Electronic access controls
 Access control software- the most used electronic access control is a combination of a
unique identification code and a confidential password.
 Call back- is a specialized form of user identification that is used is high sensitive
system.
 Encryption boards- are new devices that are installed in the back of a microcomputer
or standalone devices for larger system.
 Controls in Data and procedural controls
 A control group should
 Receive all data to be processed
 Ensure that all data are recorded
 Verify the proper distribution of output
 A written manual of system and procedures should be prepared for all computer
operation.
 Internal auditors should review and evaluate proposed systems as critical stage.
 Operation run manual – the operation manual specifies in detail for each application to
enable the computer operator to respond to any errors that may occur.
 Backup and recovery – to ensure the preservation of historical records and the ability to
recover from an unexpected error, files created within the EDP are backed up in a
systematic manner.
 Contingency processing- should be developed to prepare for natural disaster, manmade
disaster or general hardware failures that disable the data center.
 Processing control- should be monitored by the control group to ensure that processing is
completed in a timely manner.
 File protection ring- is a processing control to ensure that an operator does not use a
magnetic tape.
 Internal and external labels- are paper labels attached to a reel of tape or other storage
medium which identify the file.
 Trailer labels- are often used on the end of a magnetic tape file to maintain information
on the number of record processed.
 Application controls – are controls that relate to a specific application instead of multiple
applications.
 Each accounting application that is processed in an EDP system is controlled during three
steps within EDP:
 Input step – converts human readable information into computer readable
information.
 Processing step- ensuring the integrity of the information in the computer is critical.
 Output step- presentation of the results of processing to the user and retention of data
for future use.
 Controls in Input Controls
 Input data should be properly authorized and approved.
 The system should verify all significant data fields used to records information.
 Conversion of data into machine- readable form should be controlled and verified for
accuracy.
 Preprinted form- information pre-assigned a place and a format on the input form used.
 Check digit- an extra digit is added to an identification number to detect certain types of
data transmission or transportation errors.
 Controls, batch, proof total- a total of one numerical field for all the records of a batch
normally would be added.
 Hash totals- a total of one field for all the records of a batch where the total is a
meaningless total for financial purposes.
 Record count- A control total used for accountability to ensure all the records received
and processed.
 Reasonableness and limit tests- tests determine if amount are too high, too low or
unreasonable.
 Menu driven input- if input is being entered into a CRT.
 Field checks- checks that made certain only numbers, alphabetical characters, special
characters and proper positive and negative signs are accepted into a specific data field
where they are required.
 Validity checks-a check which allows only “valid” transactions or data to be entered into
the system.
 Missing data check- if blanks exist in input data where they should not.
 Field size check- if an exact number of characters are to be inputted.
 Logic check- ensures that illogical combinations of inputs are not accepted into the
computer.
 Controls in Processing controls
 Controls total should be produced and reconciled with input control totals—proof of
batch totals.
 Control should prevent processing the wrong file and detect errors in file
manipulation – label checks.
 Limit and reasonableness checks should be incorporated into programs to prevent
illogical results.
 Checkpoint/ restart capacity- significant amount of time to process, it is desirable to have
software within the application that allows the operator the ability to restart the
application at the last checkpoint passed as opposed to restarting the entire application.
 Error resolution procedure- individual transaction may be rejected during the processing
as a result of the error detection controls in place.
 Controls in Output controls
 Output control totals should be reconciled with input and processing controls totals.
 Output should be scanned and tested by comparison to original source documents.
 Systems output should be distributed only to authorized users.
 Control total- the user of the application will frequently give the operator the expected
result of processing ahead of time to allow the operator to verify that processing was
completed
 Limiting the quantity of output and total processing time- time restraints and output page
generation constraints are often automated within the job being run.
 Error message resolution- following each job the system provides technical codes
indicating the perceived success of the job run.
Audit Theory Chapter 28 (Auditing in a Computer Information Systems (CIS) Environment)

 An auditor focuses upon all EDP functions, particularly the controls over input,
processing and output. This means that the auditor investigates the data processing system
by feeding the computer with hypothetical transactions covering all types of situations in
which he is instructed and ascertaining the answers produced are correct and wrong data are
rejected.
 A CIS environment may affect:
 The procedure followed by the auditor in obtaining a sufficient understanding of the
accounting and internal control system.
 The consideration of inherent risk, and control risk through which the auditor arrives
at the risk assessment.
 The auditor design and performance of tests of control and substantive procedures
appropriate to meet the audit objectives.
 The auditor should have sufficient knowledge of the CIS to plan, direct, supervise and
review the work performed. These may be needed to:
 Obtain a sufficient understanding of the accounting and internal control systems
affected by the CIS environment.
 Determining the effect of the CIS environment of the assessment of overall risk and
of risk at the account balance and class of transaction level.
 Design and perform appropriate tests of controls and substantive procedures.
 In planning the portions of the audit which be affected by the client’s CIS environment,
the auditor should obtain an understanding of the significance and complexity of the CIS
environment and the availability of data for use in the audit.
 This understand would include such matters as:
 The significance and complexity of computer processing in each significant
accounting application.
 The organizational structure of the client’s CIS activities and the extent of
concentration or distribution of computer processing throughout the entity.
 The availability of data.
 The nature of the risks and the internal control characteristics in CIS environment
includes:
 Lack of transaction trails.
 Uniform processing of transactions.
 Lack of segregation of functions.
 Potential for errors and irregularities.
 The decreased human involvement in handling transactions processed by CIS can reduce
the potential for observing errors and irregularities. Errors or irregularities occurring
during the design or modification of application programs or systems software can
remain undetected for long period of time.
 The inherent risk and control risk in a CIS environment may have both a pervasive effect
and an account specific effect on the likelihood of material misstatements, as follows:
 The risks may result from deficiencies in pervasive CIS activities.
 The risks may increase the potential for errors or fraudulent activities in specific
applications, in specific data bases or master files, or in specific processing activities.
 The audit procedures applicable to evaluating the internal control in CIS systems are:
 Review of the system
 Test of compliance
 Evaluation to determine the extent of the substantive tests.
 If a client uses CIS, the auditor must be capable of understanding the entire system to
evaluate the client’s internal control and to determine whether the system provides
reasonable assurance that error and irregularities have been and will be prevented or
detected on a timely basis.
 The adequacy of the audit trail and the audit objectives the auditor chooses to either:
 Audit around the computer – the auditor does not use the computer to perform test,
selects samples. If there is an adequate audit trail , the auditor can do the following:
 Examine for evidence of controls
 Trace transactions using printouts to follow input documents through to final
report.
 Process sample transactions manually, process a batch of transactions and
compare with printouts.
 Auditing through computer- the auditor can use a computer program to examine data
files and perform many of clerical tasks previously performed by a junior auditor.
 Substantive testing like compliance testing can be performed:
 Substantive testing without using the computer
 Substantive testing with the use of a computer
The sources of the programs are:
 Audit written programs- specifically written to client’s file
 Auditee programs – coded by the company’s own programmer to meet the
auditor’s needs.
 Utility programs- provided software vendors and used to obtain data.
 Generalized computer audit programs – these programs offer audit-oriented
functions for use in accessing and testing records.
 Audit techniques using computers
 Audit Software
3 other software may be used on either a microcomputer or mainframe computer:
 Generalized audit software- is used most frequently because it allows the auditor
to access various client’s computer files.
Audit procedures that may be performed by generalized audit software:
 Testing client calculation
 Making additional calculation
 Extracting data form the clients file
 System utility software
 Customized audit program
 Test Data- a set of dummy transactions is developed by the auditor and processed by
the client’s computer programs to determine whether the controls which the auditor
intends to rely on are functioning as expected.
 Possible problems associated with test data are that the auditor’s must:
 Make certain the test data is not included in the client’s accounting records.
 Determine that the program tested is actually used by the client to processed
data.
 Devote necessary time to develop adequate data to test key controls.
 Concurrent Audit techniques- these techniques collect evidence ass transactions are
processed, immediately reporting information requested by the auditor or storing it
for late access.
 Three concurrent techniques are:
 Integrated test facility (ITF)- this method introduces dummy transactions into
a system in the midst of live transactions and is usually built into the system
during the original design.
 Snapshots- auditors embed software routines at different points within an
application to capture and report images of a selected transactions as it is
processed at preselected points in a program.
 System control audit review file (SCARF) – uses audit software embedded in
the client’s system to gather information at predetermined points in a system.
 Parallel simulation ( controlled processing/ reprocessing) – this method processes
actual client data through an auditor’s software program.
 The limitations of this method:
 The time it takes the auditor to build an exact duplicate of the client’s system.
 Incompatibility between auditor and client software.
 The time involved on reprocessing large quantities of data.
 Code comparison –an auditor examines two versions of a program to determine
whether they are identical. The two versions are :
 Blueprint
 The one in current use by the client
 Audit workstation - using a microcomputer and the necessary software, the auditor
extracts the necessary data form the client’s file and performs the desired test directly
on the microcomputer.
 The seven steps in using an audit workstation
 Determine data needed
 Write exact routine
 Run extract program
  Download extracted file
 Perform analysis
 Prepare report
 Workpapers
 Data manager – where the auditor use to download client data to the auditor’s
microcomputer.
 The commercially available software and software developed by public accounting firms
that can assists the auditor in:
 Preparing working papers
 Executing audit procedures
 Research
 Engagement management
 Time budgeting
 Other types of commercially available software that can assists in engagement
management , such as :
 Audit program generators that assist in developing audit programs
 Preparation of Flowchart
 Performance analytical procedures
 Preparation of working papers
 Expert system- which are programs designed to mimic the decision- making processes of
an expert in the field.
 Tagging and tracing transactions –this process involves tagging or specifically marking
or highlighting certain transactions by the auditor at the time of their input.
 Internet – to the worldwide network of computer networks, it is a shared public network
that enables communication with other entities and individuals around the world.
 When e-commerce has a significant effect on the entity’s business, appropriate levels of
both information technology and internet business knowledge may be required to:
 Understand as they may affect the financial statements
 Determines the nature, timing and extent of audit procedures and evaluate audit
evidence.
 Consider the effect of the entity’s dependence on e-commerce activities on its ability
to continue as a going concern.
 In obtaining or updating knowledge of the entity’s business , the auditor considers, so as
they affect the financial statements:
 The entity’s business activities and industry
 The entity’s e-commerce strategy
 The extent of the entity’s e-commerce activities
 The entity’s outsourcing arrangements
 The entity’s e-commerce strategy, including the way it used IT for e-commerce and its
assessment of acceptable risk levels, may affect the security of the financial records and
the completeness and reliability of the financial information produced.
 An entity becomes more involved with e-commerce, and as its internal system become
more integrated and complex, it becomes more likely that new ways of transacting
business will differ from traditional forms of business activities and will introduce new
types of risks.
 Management faces many business risks relating to the entity’s e-commerce activities
including:
 Loss of transactions integrity, the effects of which may be compounded by the lack of
adequate audit trail in either paper or electronic form.
 Pervasive e-commerce security risks
 Improper accounting policies
 Noncompliance with taxation and other legal and regulatory requirements
 Failure to ensure that contracts evidence only by electronic means are binding
 Over reliance on e-commerce when placing significant business systems or other
business transactions on the internet.
 Systems and infrastructure failures or “crashes”
 Factors that may give rise to taxes on e-commerce transactions includes the place where:
 The entity is legally registered
 Its physical operations are based
 Its web server is located
 Goods and services are supplied from
 Its customer are located or goods and services are delivered
 When electronic commerce systems are highly automated, when transactions volumes are
high, or when electronic evidence comprising the audit trails is not retained, the auditor
mat determined that it is not possible to reduce audit risk to an acceptably low level
using only substantive procedures.
 Following aspects of internal control are particularly relevant when the entity’s engages
in e-commerce:
 Maintaining the integrity of control procedures in the quickly changing e-commerce
environment.
 Ensuring access to relevant records for the entity’s need for audit purposes.
 The entity’s security infrastructure and related controls are particularly important feature
of its internal control system when external parties are able to access the entity’s
information system using a public network
 Audit procedures regarding the integrity of information in the accounting system relating
to e-commerce transactions are largely concerned with evaluating the reliability of the
systems in use for capturing and processing such information.
 Process alignment- refers to the way of various IT system are integrated with one another
and thus operate, in effect, as one system.
 In e-commerce environment, it is important that transactions generated from an entity’s
web site are processed properly by the entity’s internal systems.
 The auditor consider whether the entity’s security of information policies and security
controls as implemented are adequate to prevent unauthorized changes to the accounting
system or records, or to system that provide data to the accounting system.