AUDITING IN COMPUTERISED ENVIRONMENT

Introduction

Information Technology (IT) is integral to modern accounting and management information

systems. It is, therefore, essential that auditors should be aware of the impact of IT on the audit

of a client’s financial statements. Information Technology auditing (IT auditing) began as

Electronic Data Process (EDP) auditing and developed largely as a result of the rise in

technology in accounting systems. The last few years have been an exciting time in the world of

IT, auditing as a result of the accounting scandals and increased regulations. Regardless of the

computer systems used, the audit objectives and approach will remain largely unchanged from

that if the audit was being carried out in a non-computer environment.

Uses of a computer by the auditor

 Increase the accuracy of audit tests;

 Perform audit tests more efficiently;

 Test the reliability of client software; and.

 Independently access the data stored on a computer system without dependence on the

client.

 Computer Assisted Audit Techniques are used in performing several auditing measures

and processes, including: Analytical procedures, as: when discovering major irregularities or

variations.

  Implementing modules to obtain data for audit testing.

 Testing of application controls, as in evaluating the running of a program

The terms “IT audit” and “computer-based audit” are used interchangeably to describe the

controls operated by computers but from here on the term IT audit will be used.

Hence when an auditor undertakes an IT audit is undertaken it is to review and evaluate an

organization’s information system’s availability, confidentiality, and integrity.

This will require the auditor to pose certain questions to ensure:

1. Availability

Potential question - What measures are in place to ensure that the data is available when

required? To answer this question the auditor will access the organization’s computer system to

ensure it will be available for the business at all times when required.

2. Confidentiality

Potential question - What controls are available to ensure that only authorized personnel can

access the data? The auditor will wish to review and test the confidentiality of the organization’s

information to understand that the information in the systems is only disclosed to authorize users.

3. Integrity

Potential question - What controls are in place to prevent unauthorized changes to the data?

Finally the auditor will endeavor to ensure the integrity of the information. This means that the

information provided by the system is accurate, reliable, and timely.

application of controls within the IT system. Such of these factors include the following:

• Whether processing is centralized or decentralized

• The complexity and level of customization of the IT system

• The availability of skilled and experienced audit staff.

Once a decision has been made to evaluate IT controls, there are two major types of controls in

computerized systems to be considered.

General controls:

• These are controls over the environment in which the computer system is operated. Broadly

speaking, this type of control includes:

 Organizational controls

 Systems development controls

 Maintenance controls

 Access controls

 Other general controls

As set out above, the key audit objective when reviewing general IT controls is to ensure that

the integrity, availability and confidentiality of the data is appropriately controlled. In order to

meet this objective, the auditor will look to identify and test relevant control activities under each

of the general control categories as follows:

In the area of information security the key risks include allowing access to the information by

more people than is necessary through a failure to implement appropriately logical security

including: user names and passwords, a failure to implement a secure user access management

process including a process to approve the setup of new users and to remove access once a

person leaves employment. It is also important to ensure that there is an appropriate segregation

of duties.

The key controls include:

• implementing logical security tools, such as passwords, firewalls virus protection to govern

access;

• appropriate physical and environment security measures are taken; introducing a process to

govern the granting and removing of access to the systems, and a process to review access from

time to time to ensure that any segregation of duties issues are identified.

IT systems Change Control

The key risks associated with the area of IT change control include the risk that changes are not

properly approved by management and that changes are not fully tested so that they deliver their

objectives.

The key controls to address these risks include:

• the use of Formal Acquisition and Development Procedures, which ensure that before any

changes begin they are fully approved by management to ensure that they are in line with the

organization’s IT aims and objectives;

ensure that it has been moved correctly;

• Controls to restrict access and the ability to make changes so that changes cannot be

commenced without approval;

• Procedures to ensure that Formal Testing is carried out before the changes are implemented.

• This should include testing by users to ensure that they achieve their aims and by IT to ensure

that the changes are correctly developed from a technical point of view.

IT Operations

The main risks in the area of IT operations and interfaces are that all scheduled jobs do not run

successfully, that data does not flow accurately from one application to another, that data is not

appropriately backed up and that additional or unapproved tasks are run on the systems.

The key controls include:

• a process to monitor all overnight or batch jobs to ensure that these have completed

successfully;

• Controls to restrict the ability to make changes to scheduled jobs;

• a process to identify and follow up on any jobs which fail to run correctly.

Application controls:

• These are controls designed with the objective of ensuring the accuracy and completeness of:

 Data input controls

 Data processing controls

Application controls are designed to: (i) detect errors before, during and after the processing of

specific types of transaction (ii) to support the IT system controls, and (iii) a sound system of

internal control for the entity. Application controls also provide the auditor with the comfort that

the recording processing and the reports generated by the computer system are performed

properly.

Data Input Controls

Input controls are extremely important as a lot of errors may occur at the input stage. The

presence of such controls are designed to ensure that the input data has been authorized correctly,

is complete, and accurate. If input errors are detected by the IT system, these need to be

reviewed, corrected and resubmitted for inputting into the system again.

These controls include the following:

• Control Totals

• Hash Totals

• Editing Checks

• Key Verification

• Missing Data Check

• Check Digit Verification

• Sequence Check

• Control Totals
• Manual Visual Scanning

Data Processing Controls

Processing controls are designed to provide reasonable assurance that the computer processes

have been performed as intended. They ensure that the transactions are not duplicated or lost or

improperly changed in any way and that errors are identified and corrected on a timely basis.

These controls include the following:

• Reasonableness Checks

• Find Identification Labels

• Before & After Report

• Control Totals

Data Output Controls

Data output controls are designed to ensure that the processing has been correctly carried out,

and the output reports are then distributed to authorized personnel only.

These controls include the following:

• Visual Scanning

• Reconciliation
Audit Approach in Computerized Environment

Auditing Around the Computer: It is the type of auditing done in a traditional method. The

auditor summarizes the input data and ignores the computer’s processing but ensures the

correctness of the output data generated by the computer, this approach is generally referred to as

“auditing around the computer”. This methodology was primarily focused on ensuring that

source documentation was correctly processed and this was verified by checking the output

documentation to the source documentation

2. Auditing through the Computer: Due to the “real time” computer environments, there may

only be a limited amount of source documentation or paperwork hence the auditor may employ

an approach known as “auditing through the computer”. In this approach, the reliability and

accuracy of the results are analyzed through the computer. This involves the auditor to perform

tests on the information technology controls to evaluate their effectiveness like Compliance test,

Test Packs, Reprocessing.

and he uses some general software for the purpose of calculating depreciation, printing letters,

and duplicate checking and files comparison.

The computer is not used for all the audit work and it is done manually.

Audit Process for Computerized Accounting System

The audit process for a computerized accounting system involves the following five major steps:

 
1. Conducting Preliminary Survey: This is a preliminary work to plan how the audit should be

conducted. The auditors gather information about the computerized accounting system that is

relevant to the audit plan. This includes an understanding of how the computerized accounting

functions are organized, identification of the computer software used, and understanding

accounting application processed by computer and identification applicable controls.

2. Reviewing and Assessing Internal Controls: There are two types of controls namely general

controls and application controls.

·           General Controls: General controls are those that cover the organization, management

and processing within the computer environment. They should be tested prior to application

controls, because if they are found to be ineffective, the auditor will not be able to rely on

application controls. General controls include proper segregation of duties, file backup, use of

labels, access control, etc.

·           Application Controls: Application controls relate to specific tasks performed by the

system. They include input controls, processing controls, and output controls. They should

provide reasonable assurance that the initiating, recording, processing and reporting of data are

properly performed.

3. Compliance Testing: Compliance testing is performed to determine whether the controls

actually exist and function as intended. This can be performed by comparing the results to

predetermined results or by processing dummy transactions.

4. Substantive Testing: This is performed to determine whether the data is real. Substantive

tests are tests of transactions and balances and analytical procedures designed to substantiate the

assertions. Auditors must obtain and evaluate evidence concerning management’s assertions

about the financial statements. The auditor must obtain sufficient competent evidential matter to
provide a basis for an opinion regarding the financial statements under audit. If sufficient

competent evidence cannot be obtained then an opinion cannot be issued.

5. Audit Reporting: The audit report will contain detailed information on various aspects of

their findings in the process of audit in a computerized environment.

Ahmi, A., Saidin, S. Z., & Abdullah, A. (2014). IT adoption by internal auditors in public sector:

A conceptual study. Procedia-Social and Behavioral Sciences, 164, 591-599.

Anomah, S., & Agyabeng, O. (2013). Evaluating internal controls in a computerized works

environment–a risk to audit professionals and a challenge to accountancy training

providers. Research Journal of Finance and Accounting, 4(1), 132-143.

Audit, A. AUDITING COMPUTERISED ENVIRONMENTS.

Chukwuemeka, I. (2019). Problems and prospects of auditing in a computerized accounting

system. Journal of Emerging Trends in Economics and Management Sciences, 10(6),

294-299.