INTRODUCTION TO

COMPUTER AUDIT

COMPUTERIZED
INFORMATION SYSTEM
(CIS) ENVIRONMENT
CHANGING IN IT & ITS EFFECT ON
AUDITING
Technology presents both challenges & opportunity for auditors

Challenges : understand the tech & its impact to the audit
process, thus require additional education & training

Opportunities : CIS allows audit to be conducted in a less routine
manner, > interesting to audit staffs & perhaps > efficient manner

Audit implication : controls on the data processing and the
transmitting of the data where assets & records may be
misappropriated. Also, the completeness & accuracy of the data
sent back & forth btw the central (server) & divisional (client)
computers.
CHANGING IN IT & ITS EFFECT ON
AUDITING (contd)
Organizational change
In a CIS environment, client may need separate room with special
environment ctrl such as air-conditioned for the computer
Staff requirement programmers, analysts, data entry clerk,
librarian in order to run the system

Visibility of information
May not be visible as data are usually entered directly into the
computer.
No audit trail as source documents are often eliminated & later
maintained in machine-readable form
CHANGING IN IT & ITS EFFECT ON
AUDITING (contd)
Potential of material misstatement

Less human involvement may allow mistakes to flow through the
system undetected

The uniformity of processing may pose a problem. When the
information is in the computer, it is processed consistently with
previous and subsequent information. This may increase
erroneous risk resulting in the accumulation of a great number of
misstatements in a short period of time

Unauthorized access leads to programs & records being
improperly changed. Data may be lost or destructed as a result
of a great amount of data are being deleted or changed.
SIMILARITIES BETWEEN AUDITING IN A CIS
ENVIRONMENT & MANUAL SYSTEM
Accounting concepts & system

Scope of audit i.e. governed by the legislations,
regulations and Auditing Standard

Audit obj i.e. express opinion on the true &
fairness of the FS

DIFFERENCES BETWEEN MANUAL & CIS
Processing of financial data

Storage of financial data
Data are stored into the computer, no audit trail.

Communication of financial information

Organisational structure & procedures employed
Elimination of segregation of duties, hence mgmt has to
increase supervision through internal audit
CONTROLS AFFECTED BY CIS/IT (1)
The presence of automated processing for significant a/c
applications affects how entity implements its IC

CONTROL ENVIRONMENT FACTORS
Assignment of authority & responsibility
One user vs database mgmt system (multiple users)
HR policies & practices
The need to have personnel with skills & expertise


CONTROLS AFFECTED BY CIS/IT (2)
CONTROL PROCEDURES
Info processing
Affect the authorisation of transactions & keeping adequate
documents no hardcopy of source documents & records for
auditors to check i.e. normal paper audit trail unavailable
Eg: credit for sales transactions approved automatically
Proper segregation of duties
Physical controls over assets
Records concentrated in the database system or be accessible
through the computer terminals easier to hide the theft of
assets. Eg. Fictitious purchases of goods

ELEMENT OF CIS
Basically, there are 6 elements in the CIS:-
1) Hardware
2) Software
3) Documentation
4) Personnel
5) Data
6) Information processing control related to :
Input
Processing
Output of data


TYPES OF CONTROLS IN AN IT
ENVIRONMENT
General Control
- AI 1008 (# 6-7)
- relates to overall information
processing environment & have a
pervasive effect on the entitys IS &
operations. They include controls over
the following:
Data centre and network
operations
Systems software acquisition,
change & maintenance
Access security
Application system acquisition,
development & maintenance

Application control - AI 1008 (#8)
- relates to specific computer
applications
Data capture control
Concerned with validity,
completeness & valuation IC
objective
Data validation control
Concerned with validity control

Processing controls
Output controls
Error controls
AUDIT APPROACH IN A CIS
ENVIRONMENT (1)
Audit round the machine

1. Computer treated as black box &
processing took place in computer
is being ignored

2. Auditor relies on the initial output;
checking its validity whether it is
properly authorized & described,
properly coded & the final output:
the printout.

3. The output is compared to the
source documents & control totals
as a check on accurate processing

Audit through the machine
(Using CAATs)
Auditor concentrates on proving the
accuracy of the input data followed by
a thorough examination of the
processing procedures in order to
establish:
1. All input has been keyed into the
computer
2. Ensuring that the usual conditions
in the input cannot cause error in
processing
3. Ensuring that neither the computer
nor the operators can cause
undetected irregularities in the final
reports
4. Programs are functioning properly.
AUDIT APPROACH IN A CIS
ENVIRONMENT (2)
Audit round the machine

In summary, auditor does
not examine the
computer processing, but
instead the auditor
emphasizes on:
Ensuring the completeness,
accuracy & validity of info by
comparing the output reports
with the input documents
Ensure the effectiveness of input
& output controls
Ensuring the adequacy of
segregation of duties



Audit through the machine
In summary, auditor is
interested to study the
computer processing.
Emphasize on all aspects of IC.
Use CAATs to perform a >
efficient & effective audit.
CAAT assist in organizing,
analysing & extracting
computerize data &
reperforming computations &
other processing.
AUDIT AROUND THE COMPUTER
INPUT
OUTPUT

AUDIT THROUGH THE COMPUTER
INPUT
OUTPUT

COMPUTER ASSISTED AUDIT
TECHNIQUES (CAAT)
Types of CAAT:
Generalised Audit Software (GAS)
Custom Audit Software
Test Data
Parallel Simulation
Integrated Test Facility
Concurrent Auditing Technique
COMPUTER ASSISTED AUDIT
TECHNIQUES (CAAT)
GENERALISED AUDIT
SOFTWARE
Used by auditor during
substantive testing, to determine
the reliability of ac controls &
integrity of computerized acc
records

Consists of computer programs
used by the auditor as part of his
auditing procedures.

May consist of package
programs, purpose-written
program & utility program

TEST DATA

Used in conducting audit
procedures i.e. test of control by
entering data, such as dummy
transactions, into the EDP system
& comparing the results obtained
with predetermined results.

For instance, auditor may audit a
sample of transactions in an
entitys computer system &
comparing the results with the
predetermined results.
FUNCTIONS OF CAAT
Test of details of transactions & balances
Analytical Review Procedures
Compliance tasks of general CIS control
Compliance tasks of CIS application controls
Provides one way to standardise audit
procedure performed for each audit.
CONSIDERATIONS IN THE USE OF CAATs
Computer knowledge, expertise & experience
Availability of CAATs & suitable computer facility (hardware)
Impracticability of manual tests
Costs associated with using CAATs

Computer in AUDIT MANAGEMENT
Spreadsheets a/c preparation, time/cost budgeting, AP
Statistical packages select items to be tested
Word Processing
Reduce the need for support staff, audit prog, WP, lead schedules & other
current file audit documentation
Used to write reports, memos, letters etc
COMPUTER FRAUD
Developments that increase the computer fraud
Categories
Input fraud data input is falsified
Eg fictitious transactions, employees
Processing fraud alterations of system
Output fraud output documents tampered / stolen.
Eg. Printed cheques stolen
Fraudulent use of the computer system
Eg. Using computer for personal purposes

WILL CIS TAKE OVER HUMAN
ROLE AS AUDITOR?