Chapter 3 with added info
Auditing
Data Management
Systems
�Challenges of Sophisticated
Computer Systems
electronic method of sending
documents between companies
no paper trail for the auditor to follow
increased emphasis on front-end controls
security becomes key element in
controlling system
�Objectives of General Controls
1.
2.
3.
4.
Responsibility for control
Information system meets needs of entity
Efficient implementation of information systems
Efficient and effective maintenance of information
systems
5. Effective and efficient development and acquisition
of information systems
6. Present and future requirements of users can be met
7. Efficient and effective use of resources within
information systems processing
�Objectives of General Controls
8. Complete, accurate and timely processing of
authorized information systems
9. Appropriate segregation of incompatible
functions
10. All access to information and information
systems is authorized
11. Hardware facilities are physically protected from
unauthorized access, loss or damage
12. Recovery and resumption of information
systems processing
13. Maintenance and recovery of critical user
activities
�Input Controls
input data should be authorized &
approved
the system should edit the input data &
prevent errors
Examples include: validity checks, field
checks, reasonableness check, record
counts etc.
�Processing Controls
assure that
data entered into
the system are
processed, processed
only once, and
processed accurately
�Processing Controls
Examples
control, batch, or proof total - a total of a
numerical field for all the records of a batch
that normally would be added (example:
wages expense)
logic test - ensures against illogical combina
tions of information (example: a salaried employee does not report hours worked)
�Output Controls
assure that
data generated by
the system are valid,
accurate, complete,
and distributed to
authorized persons in
appropriate quantities
�Objectives of Application Controls
1. Design application controls with regard to:
- segregation of incompatible functions
- security
- development
- processing of information systems
2. Information provided by the systems is:
- complete
- accurate
- authorized
3. Existence of adequate management trails
�There are two general approaches
to auditing EDP systems:
1. Auditing around the computer
involves extensive testing of the
inputs and outputs of the EDP
system and little or no testing of
processing or computer hardware.
This approach involves no tests of the
computer programs and no auditor use
of the computer.
�There are two general approaches
to auditing EDP systems:
1. Auditing around the computer
depends on a visible, traceable, hard
copy audit trail made of manually
prepared and computer-prepared
documents.
�There are two general approaches to
auditing EDP systems:
2. Auditing with use of the computer
involves extensive testing of
computer hardware and software.
�Techniques for auditing
with use of the computer
1. Test data involves auditor preparation of a
series of fictitious transactions; many of
those transactions will contain intentional
errors. The auditor examines the results
and determines whether the errors were
detected by the clients
system.
�What are the shortcomings of the
use of test data?
- possibility of accidental integration of
fictitious and actual data
- preparation of test data that examines
all aspects of the application is difficult
- the auditor must make sure that the
program being tested is the one
actually used in routine processing
�techniques for auditing
with use of the computer
2. Parallel simulation
-the auditor writes a computer program that
replicates part of the clients system
-the auditors program is used to process
actual client data
- the results from the auditors program and
that of the clients routine processing are
compared
�Auditing Software
Generalized audit software involves
the use of auditor programs, client
data, and auditor hardware. The
primary advantage of GAS is that the
client data can be down-loaded into
the auditors system and manipulated
in a variety of ways.
�Common Audit Software Functions
- verifying extensions and footings
- examining records
- comparing data on separate files
- summarizing or re-sequencing data and
performing analyses
- comparing data obtained through other
audit procedures with company records
- selecting audit samples
- printing confirmation requests
�Differences with Computer
Processing
Audit trails are different than with manual
accounting systems
Portions of audit trails may be temporary
or never exist
Processing is more uniform
Computer may initiate and complete
transactions
Greater potential for fraud
�Impact of Computers on Planning
Extent to which computers are used
Complexity of computer operations
Organizational structure of computer
operations
Availability of data
Use of CAATs
Need for specialized skills by auditor
�Audit Alternatives
Continuous (Electronic) Auditing
Auditing Around the Computer
Auditing Through the Computer
Non-concurrent (after-the-fact) auditing
Can be used for tests of transactions and
balances (substantive tests)
Can be used to test the effectiveness of
controls at various times in the past
Recent SAS pronouncements reduce
applicability of non-concurrent auditing
�Audit Alternatives
Concurrent auditing provides greater
information about the effectiveness of
controls
Special audit test records can be used
to examine system effectiveness
Embedded audit modules collect,
process and report audit evidence as
it is processed by the system
�SAS No. 80
In entities where significant information is
transmitted, processed, maintained, or
accessed electronically, the auditor may
determine that it is not practical or
possible to reduce detection risk to an
acceptable level by performing only
substantive tests for one or more financial
statement assertions.
�SAS No. 80
Due to the short-term nature of electronic
data, the auditor should consider the time
during which information exists or is
available in determining the nature, timing
and extent of his tests
�SAS No. 94
The Effect of Information Technology on
the Auditors Consideration of Internal
Control in a Financial Statement Audit
Amends SAS No. 55 Consideration of
Internal Control in a Financial Statement
Audit
SAS No. 94 does NOT change the
requirement that the auditor obtain a
sufficient understanding of internal control
to plan the audit
�SAS No. 94
SAS No. 94 acknowledges that IT use presents
benefits as well as risks to an entitys internal
control
The auditor should expect to encounter IT
systems and electronic records rather than paper
documents
An entitys IT use may be so significant that the
quality of the audit evidence available to the
auditor will depend on the controls that business
maintains over its accuracy and completeness
�SAS No. 94
As companies rely more and more on IT
systems and controls, auditors will need
to adopt new testing strategies to obtain
evidence that controls are effective
An auditor might need specialized skills to
determine the effect of IT on the audit
In some instances, the auditor may need
the skills of a specialist
�Areas of Audit Focus
Auditing computer programs
Auditing computer processing
Auditing computer files and databases
�Auditing Computer Programs
Non-processing of data
Program logic flowchart verification
Program code checking
Examination of job accounting and
control information
Review printouts
�Non-concurrent Auditing
The Black Box Approach (still allowed?)
Must be able to locate copies of source
documents for transactions and the
accounting reports resulting from those
transactions
Must be able to read the source
documents and reports without the aid
of the clients computer
Auditor must assess a low level of risk
on controls external to EDP
�Black Box Approach
Must trace transactions from the source
documents (cradle) to the accounting
reports (grave) and from the reports
back to the source documents
Computer
(Black Box)
Document
Document
with error
Document
Source Documents
Manual Verification
Document
Document
with error
Document
Output Reports
�Need for Concurrent Auditing
Disappearing paper-based audit trail
Continuous monitoring required by
advanced systems
Increasing difficulty of performing
transaction walkthroughs
Presence of entropy (disorder) in
systems
Outsourced and distributed IS
Increased interorganizational IS (EDI)
�EDP Controls
Categories:
General
Application
Specific Types of Organization and
Operation
Controls:
Input
Processing
Systems Development Output
and Documentation
Hardware and Systems
Software
Access
Data and Procedural
Nature:
Pertain to EDP
environment and all
EDP activities
Pertain to specific
EDP tasks
�Errors and Irregularities
Necessary Control
Procedures
INPUT
Valid data are incorrectly converted to
Verification controls
machine-sensible form.
Computer editing
Batch controls
Data control group monitoring
Properly converted input is lost,
Transmittal controls
duplicated or distorted during handling.
Control totals
Detected erroneous data are not
Error logs
corrected and resubmitted for processing. Data control group monitoring
PROCESSESSING
The wrong files are processed and
External file labels
updated.
Internal file labels
Processing errors are made on valid input Control totals
Limit and reasonableness tests
data.
Illogical or unreasonable input is
processed.
OUTPUT
Output may be incorrect because of
Output control totals
processing errors.
Output may be incorrect because file
Periodic comparisons of file
revisions are unauthorized or approved
data with source documents
�Tests of Controls Techniques
Auditing Around the Computer
Manually processing selected
transactions and comparing results to
computer output
Auditing Through the Computer
Computer assisted techniques
Test DecksProcessing dummy transactions
and records with errors and exceptions to see
that program controls are operating
�Tests of Controls Techniques
Controlled ProgramsProcessing real and test
data with a copy of the clients program
under the auditors control
Program Analysis TechniquesThe
examination of a computer generated
flowchart of the clients program to test the
programs logic
Tagging and Tracing Transactions
Examination of computer generated details of
the steps in processing tagged transactions
�Tests of Controls Techniques
Integrated Test FacilityA system that
processes test data simultaneously with real
transactions to allow the system to be
constantly monitored
Parallel SimulationThe use of an auditorwritten program to process client data and
comparison of its output to the output
generated by the clients program
�Clients
Program
Auditors
Test Data
Computer
Processing
Computer
Results
should
match
Auditors
Predetermined
Results
�System Concept of Parallel Simulation
Master
file
Transactions
Live
system
Live
file
Simulated
system
Comparison
Simulated
output
Exceptions
Source: W.C. Mair, New Techniques in Computer Program Verification, Tempo
(Touche Ross & Co., Winter 1971-72), p. 14.
�Parallel Simulation
Input Transaction
File
Input Master
File
System
Application
Parallel
Simulation
Output
Master File
Generalized
Audit
Software
Discrepancies
Output
Master File
�Types of Concurrent Auditing
Testing real data
Tracing transactions
Snapshot/extended record (EAM)
System Control Audit Review File
(SCARF)
Testing simulated data
Test deck approach
Integrated test facility (ITF)
�Auditing Using Clients ComputerTracing Real Data
Provides direct confirmation that controls
functioned as prescribed
Weaknesses of approach
Actual transactions selected may not
trigger all of the controls- in fact,
finding actual transactions to test
every control may not be possible
May be disruptive to clients
operation
�Auditing using Clients ComputerTracing Real Data
Weaknesses, continued
Difficult to verify that program
tested is program normally used
Difficult to verify that procedures
used during test are procedures
normally employed
Auditor needs to understand IT
operations
�Auditing using Clients ComputerUsing Simulated Data
Strengths
Auditor can reduce substantially
the number of records that have
to be processed (one record can
test several controls)
Permits testing of every control
�Auditing using Clients ComputerUsing Simulated Data
Weaknesses
Only those conditions known to
exist can be tested
Same program and procedures
questions as in processing real
data
Removal of simulated data from
client's records
�Auditing using Clients ComputerUsing Simulated Data
Verify that no amounts, accounts, or
transaction types are omitted
Verify pricing, extensions, and other
valuation procedures
Verify account coding and classification
Verify proper time period recording
Test subsidiary records footing and
reconciliation to control account
balances
�Auditing using Clients ComputerUsing Simulated Data
Test data or test record approach
Simulated data is controlled and
processed separately from real
data
Output is compared to auditorcalculated output
�Auditing using Clients ComputerUsing Simulated Data
Integrated test facility (ITF)
Simulated data is assigned a special
code to distinguish it from real data
Simulated data is integrated with real
data and processed in normal course
of business
Weakness - simulated data may be
processed differently than real data
�Generalized Audit Software
Off-the-shelf software that allows
examination of client data on auditors
computer
Information systems vary widely
between clients
Hardware and software environments
Data structures
Record formats
Processing functions
�Generalized Audit Software
GAS developed specifically to
accommodate a wide variety of hardware
and software platforms
Allows auditor to quickly modify audit
approach as audit objectives change
Allows auditors relatively unskilled in
computer systems to audit effectively in
an electronic environment
�Functional Capabilities of GAS
File access
File reorganization (sorting and
merging)
Filtering (Boolean operators: =, >=, <=,
<>, AND, OR, etc.)
Statistical (sample selections)
Arithmetic
Stratification
File creation
Reporting
�Available CAATs
CA-Easytrieve (Computer Associates)
Works in UNIX or LAN (primarily mainframes)
Uses a background language similar to COBOL
SAS
Statistical analysis
Data mining
ACL
IDEA
�Electronic Workpapers
Electronic working papers
Standardizes audit forms and formats
Improves quality and consistency
Coordinates efforts
Can centralize management efforts
�Centralized Vs Distributed Systems
Some activities should remain centralized
DDP is more expensive but can add
efficiencies over straight client-server
approach
Data can be distributed in different ways
May raise security issues
Auditor must question how each site is
secured
DDP may be partitioned or replicated
DDP requires concurrency control
�End Ch 3
