AUDIT OF COMPUTER SYSTEMS
Any computer system which processes financial records for a company must be audited. The obvious problem
with auditing a computer system is that processing operations cannot be seen, and the results of processing
might be stored on a magnetic disk.
Audit trails
One way of allowing a computer system to be audited is to provide an audit trail. An audit trail is defined by the
British Computer Society as 'a record of the file updating that takes place during a specific transaction. It
enables a trace to be kept of all operations on files'.
The term audit trail is also used to refer to the ability to trace outputs back to inputs (eg it should be possible to
trace an output total to input data).
Whereas an audit package is some external software which can be used to help with computer auditing, an audit
trail is inbuilt into the system itself.
The original concept of a management or audit trail was to print out data at all stages of processing so that a
manager or auditor could follow transactions stage-by-stage through a system to ensure that they had been
processed correctly. Modern computer methods have now cut out much of this laborious, time-consuming
stage-by-stage working but there should still be some means of identifying individual file records and output
documents associated with the processing of any individual transaction.
A management trail should be provided so that every transaction on a file contains a unique reference back to
the original source of the input (eg a sales system transaction record should hold a reference to the customer
order, delivery note and invoice). Where master file records are updated several times, or from several sources,
the provision of a satisfactory management and audit trail is more difficult but some attempt should
nevertheless be made to provide one.
Common methods of identifying the source of input are:
(a) for transaction records:
(i) document serial number;
(ii) date of transaction;
(iii) batch number;
(iv) microfilm number;
(b) for master file records:
(i) date and run number of last transaction which affected the record;
(ii) reference to when the master file record was last printed.
Computer-originated documents may be used to generate new transactions (eg OCR turn-round documents).
An audit trail should then enable the new transaction to be referred, if required, back to the computer
system/run which created the source record.
Systems checks and controls
The auditor of a computer system should have confidence in the controls within the system itself, and should
not have to rely entirely on audit trails and hard copy historical records.
The system controls will include:
(a) (i) controls over input to ensure that all source documents are correctly completed and are transmitted to the
computer department;
(ii) that all source documents are received by the computer department and are correctly converted into the
computer input media;
�(iii) that all the data on the input medium is transmitted accurately to the computer centre and accepted by the
computer;
(b) controls over hardware, including proper maintenance, environment control and hardware controls checks
(eg parity checks, overflow checks, validity checks, terminal readiness checks, data transmission checks etc);
(c) controls over files, to ensure that only the right files are used in processing and are then correctly used in
processing (eg maintenance of library logs and internal and external labels; use of write permit rings or file
masks; dumping and reconstruction procedures);
(d) software (program) controls. To ensure that only data is processed, all new input will undergo validation
tests.
Round the computer vs through the computer audits
Traditionally, the ways in which an auditor could approach the systems audit of a computer based system fell
into the two categories:
(a) a 'round the computer' approach;
(b) a 'through the computer' approach.
Some years ago, it was widely considered that an accountant could discharge his duties as an internal auditor in
a company with computer based systems without having any detailed knowledge of computers. The auditor
would audit 'round the computer' by ignoring the procedures which take place within the computer programs
and concentrating solely on the input and corresponding output. Audit procedures would include checking
authorisation, coding and control totals of input and checking the output with source documents and clerical
control tests.
This view is now frowned upon and it is recognised that one of the principal problems facing the internal
auditor is that of acquiring an understanding of the workings of the DP department and of the computer itself. It
is now customary for auditors to audit 'through the computer'. This involves an examination of the detailed
processing routines of the computer to determine whether the controls in the system are adequate to ensure
complete and correct processing of all data. With the advent of 'embedded audit facilities' we are increasingly
seeing the introduction of auditing from 'within the computer'.
One of the major reasons why the 'round the computer' audit approach is no longer considered adequate is that
as the complexity of computer systems has increased there has been a corresponding loss of audit trail. One
way the auditor can try to overcome the difficulties of lost audit trails is by employing Computer Aided Audit
Techniques (CAATs).
Type of CAATs
Some special computer-aided audit techniques might be used (eg auditing test packs, and computer audit
programs to read files, extract defined information and carry out work on the controls). There are two principal
categories of CAAT test data and audit software.
Audit test data consists of data prepared by the auditor for processing by the computer system. It may be
processed during a normal processing run ('live' test data), or at a point in time outside the normal processing
cycle (‘dead test data’).
The use of test data provides 'compliance comfort' to the auditor in respect of a period of time only if he obtains
reasonable assurance that the programs processing his test data were used throughout the period under review.
To allow a continuous review of data and the manner in which it is treated by the system, it may be possible to
use CAATs referred to as embedded audit facilities. An embedded facility consists of program coding or
additional data provided by the auditor and incorporated into the computer system itself. Two examples are:
�(a) Integrated Test Facility (ITF); and
(b) Systems Control and Review File (SCARF).
Audit packages
Computerised auditing packages are used by auditors to help them with auditing a computer system. They
provide two functions:
(a) they generate test data sets which may then be processed by the client's system to evaluate its effectiveness
and internal controls, and
(b) they may be used to aid the testing of a client's records as part of the general review of the client's
performance and accounting operations.
Standard software packages are available to help auditors with the audit of a computer system - ie the master
files, transaction files and processing routines. Features of these packages include:
(a) reformatting of a master file to allow the auditor to interrogate the file with his own programs;
(b) computational checks on interest, discounts, extensions, totals etc;
(c) the verification of file controls;
(d) the verification of individual balances on records;
(e) the extraction of random samples of items for checks;
(f) the facility to print out any data from a master file in any format the auditor requires;
(g) the extraction of records from file which contain a specified field with a value above or below a certain
value.
The organisation's personnel should be isolated from the auditing tests undertaken. Computer crimes are most
often committed by the data processing personnel so any intensive review of their work practices or the systems
they control will first need to remove them from any position which could alter the normal working of the
system. If the system has been subverted the auditor has a duty to catch it in the act if possible.
Computerised auditing packages which generate test data may be used to check that the system is processing
transactions correctly. For example, in the audit package for an accounting system, it would be possible to
determine how various test data transactions should show up in the accounts; if some error occurred in
processing them, further investigation would be necessary.
Errors could have two sources: an inadvertent error in the design or implementation of the system, or a
purposeful malfunction intended to defraud the organisation. System bugs identified by the auditors should be
brought to the attention of the client so that they may be corrected. Fraudulent processing operations will also
need to be pursued with a particular view to establish the extent of the operation and responsibility.
The use of auditing packages also provides the auditor with a variety of computerised tools which may be used
not only for evaluating the computer system and its operations but may also be extended to the auditing of other
organisational functions. These programs perform generalised audit and may be widely used among a variety of
clients.
Audit packages are being increasingly used by external auditors, and also some internal auditors, and should
improve the efficiency of the computer audit.
The auditor can also use:
(a) spreadsheets, to carry out analytical review procedures;
(b) word processors to generate audit program documentation.
