AUDITING IN THE DATA PROCESSING ENVIRONMENT - THE EVOLVING ROLE OF THE INTERNAL AUDITOR A Thesis Presented to The School of Business Quinnipiac College In Partial Fulfillment
of the Requirements for the Degree Master of Business Administration
by
Jatin M Patel April 1988
Trang 2UMI Number: 1414101 ® UMI UMI Microform 1414104
Copyright 2003 by ProQuest information and Learning Company All rights reserved This microform edition is protected against
unauthorized copying under Title 17, United States Code
ProQuest Information and Learning Company 300 North Zeeb Road
Trang 3APPROVAL PAGE
AUDITING IN THE DATA PROCESSING ENVIRONMENT - THE EVOLVING ROLE OF THE INTERNAL AUDITOR
This thesis is approved as a creditable and independent investigation by a candidate for the degree of Master of Business Administration, and is acceptable as meeting the thesis requirements for this degree, but without implying that the conclusions reached by the candidate are neces- sarily the conclusions of the major department
Trang 4ACKNOWLEDGEMENTS
I wish to express my appreciation to Dr Vincent Celeste for his guidance, assistance and patience in the completion of this project
Trang 5TABLE OF CONTENTS
CHAPTER page
INTRODUCTION ° ° e ° s e ° e ° e e e e e e s ° e e e ° 1
THE TRADITIONAL ROLE OF THE INTERNAL AUDITOR - 4
IMPACT OF EDP ON THE INTERNAL AUDIT FUNCTION - 8
THE GROWING GAP e e e e e e s ° e ° e ° e e ° e ° e s ° 1 9
CONCLUS ION e e s ° ° e ° s e ° ° e e e a s s ° bu ° e e 3 0
REFERENCES e e e 6 e e ° e ° a e ° ° e ° e s e a s e e 33
Trang 6TNTRODUCTION
Rapid economic growth within the past two or three decades has resulted in a tremendous expansion o£ the world markets and products This growth has brought about a widespread expansion in the business activities within the confines of various nations, as well as across the borders of these nations This widespread expansion has brought about a dramatic change in the day to day operations of a business enterprise which has resulted in increasingly complex information requirements on the part of management in order to operate most efficiently
Coupled with this widespread economic growth, governmental and legislative regulations and regulatory reporting requirements have increased significantly, thereby, magnifying the complexity of managements informa- tion requirements
Trang 7for it to plan, evaluate and control the various activities of its organization effectively
It is clearly evident from the comments above, that computers have become a mainstay of the informational requirements of a business enterprise " The various business records that are maintained today on a computer may constitute virtual ‘information assets' of the organization The very existence of the organization is heavily reliant upon the safety and preservation of these ‘information assets'" 1,
The tremendous increase in management's dependence upon data-processing for meeting its day to day information requirements for effective management control and strategic planning functions has resulted in widespread concern about the ability of the data-processing system to generate the requisite information with continuing accuracy, completeness and , most important of all, on a timely basis This is where the Internal Auditor comes into play Management relies upon the Internal Auditor to evaluate the efficiency and accuracy of available management resources With the advent of EDP, the importance of the Internal Audit function has increased tremendously Today, management relies upon the Internal Auditor to evaluate and verify the effective- ness of the data-processing system and its ability to
1 Mair, William C.; Wood, Donald R.; & Davis,
Trang 9THE TRADITIONAL ROLE OF THE INTERNAL AUDITOR
Auditing has been defined as " the examination of information by a third party other than the preparer or the user with the intent of establishing its reliability and the reporting of the results of this examination with the expectation of increasing the usefulness of the information to the user" 2 Traditionally, the role of the Internal Auditor was similar to that of the External Auditor The Internal Audit function was limited to financial audits, i.e = evaluation and verification of the completeness and accuracy of financial statements However, with the revela- tions of illegal corporate activities and large scale frauds and bankruptcies, top level management showed a greater interest in broadening the scope of the Internal Audit function There was a greater awareness that the Internal Audit function was a very effective management tool that could assist management in the fulfillment of their respon- sibilities for controlling corporate activities and stemming the advent and growth of illegal and unethical behavior As a result, the scope of the Internal Audit function broadened to include operational or non-financial auditing along with the traditional financial auditing The Internal Auditor became responsible for the implementation and evaluation of
2 Porter, Thomas W & Burton, John C : Auditing : AConceptual Approach (Wadsworth Inc., Belmont, CA, 1971)
Trang 10internal controls and internal checks to ensure compliance with company policies and procedures, evaluation of reports and the system of reporting in both the financial and non-financial areas, evaluation of the quality of management performance to ensure that management is utilizing available company resources most efficiently and in the most economic manner The Internal Auditor also became responsible for making recommendations to management to make changes or implement new systems and procedures in both financial and non-financial areas of corporate activity
During this period of growth in the scope of the Internal Audit function, the corporate environment was being gradually influenced by the evolution of EDP In the late fifties and early sixties, there were relatively few computers being utilized in business enterprises However, starting from the earlier part of the sixties, there has been a tremendous increase in the number of computers in
use "At the end of 1973, 133,000 computers valued at almost
$30 billion were in use The number of installed computers was estimated to grow to 500,000 by 1978 with a projected value of over $50 billion."3 Coupled with the increase in the use of computers was the increase in managements reliance upon EDP, as discussed earlier The increase in management's recognition of the tremendous potential of the
3 Mair,William C.; Wood, Donald R.; & Davis,
Trang 11computer in the promotion of operational efficiency and effective decision making generated a resultant increase in the number of applications and procedures that were come- puterized With the introduction of the computer into the business environment, the inherent risks associated with the use of a computer were also introduced However, the Internal Audit function during this period of EDP expansion was not able to keep pace with the introduction of the new technologies and applications Until recently most Internal Auditors preferred "auditing around the computer" which involved reviewing the systems and procedures related to the feeding of data into the EDP system and reviewing and verifying the completeness and accuracy of the resultant computer output They felt that auditing the various controls that were external to the EDP system would provide them with sufficient evidence that the system was function- ing effectively, rather than getting directly involved with the verification of controls within the EDP systems
Trang 13IMPACT OF EDP ON THE INTERNAL AUDIT FUNCTION
The advent of computers has had a tremendous impact on the business organization as a whole and the Internal Audit function in particular The introduction of computers into the business environment has proved very beneficial to the corporate structure Computers have come to be considered an essential part of the business environ- ment The increased use of computers in the business environment is largely attributable to the rapid growth and diversification in managements information requirements coupled with the increase in government regulatory reporting requirements As a result of the aforementioned information requirements, management has become increasingly reliant upon EDP to plan, evaluate and control the activities of the organization in an effective manner
This tremendous increase in management's depen- dence upon EDP has resulted in the following :
" (a) Increased computer usage
(b) Increased use of data communication facilities
(e) New data=processing application areas
(d) Distributed data-processing
(e) Integrated computer application systems
(f) Centralized shared data files "4
4 Stanford Research Institute : Systems Auditability & Control Study - Data-Processing Audit Practices Report (Institute of Internal Auditors Inc., FLA,
Trang 14The increased use of computer systems can best be appreciated by considering the number of computer systems installed in business organizations within the past few
years "At the end of 1973, 133,000 computers valued at
almost $30 billion were in use The number of installed computers was estimated to grow to 500,000 by the end of
1978 with a projected value of over $50 billion."9
The widespread geographic distribution of business activity can largely be attributed to the advent of high speed data communication facilities At the same time, it can be emphatically stated that this geographic growth and the sustenance of this growth is largely attributable to the use of these data communication facilities The significant increase in the use of data communication facilities has been evidenced by the fact that "while in 1970, only 25 % of the general purpose computers installed were equipped with data communication terminals, by 1975, 54% of the general purpose had terminals."6
1977)
2 Mair, William C.; Wood, Donald R.; & Davis;
Keagle W.: Computer Control & Audit (Institute of Internal Auditors Inc., FLA, 1976)
Trang 15The increase in the usage of computer systems and data communication facilities combined with rapid economic growth have resulted in the development of new data-process- ing application areas that were unheard of even a decade or two ago Some examples of these new application areas are Electronic Fund Transfers, Automated Bank Teller Machines, Retail Point of Sale terminals
The concept of distributed data-processing involves decentralization of data-processing activities The advent of high speed, low cost mini-computers is largely responsible for this concept gaining favor with management because of the various advantages it has to offer over totally centralized data-processing facilities
Rapid technological changes have resulted in integrating data-processing procedures such that a single transaction entered into a computer system automatically is processed by all computer application systems that are affected by that transaction Eg : When a person operates terminal keys in a specified order, the following transac- tions will automatically be performed - order entry, updating of inventory records, preparation of customer billings, preparation of shipping documents, updating of accounts receivable and updating of customers records
The concept of a data base, also referred to as a centralized shared data file, has been instrumental in the advent and growth of integrated data-processing applica-
Trang 16tions "The data base concept is to capture and maintain data in a single central file, which can be accessed by those programs that have a need for specific data elements In the past, each application was designed around its own files The same data elements would occur in different files, and would even have different values because of inconsistent processing procedures and/or schedules".? The development of centralized files has resulted in the elimination of redundancy and also in the arrangement of the various data files in a more logical sequence based on their computer application systems
The above discussion clearly describes how computers have become a mainstay in today's business environment However, any new venture that a business undertakes has its associated risks The primary risk associated with a computer system is the risk of error or omission According to a mail survey conducted by the Stanford Research Institute, - “loss from errors and omissions is one of the most frequently reported concerns of both data-processing managers and internal auditors."8
T Stanford Research Institute : Systems
Auditability & Control Study - Data-Processing Audit Practices Report (Institute of Internal Auditors Inc., FLA, 1977
8 Stanford Research Institute : Systems
Auditability & Control Study - Data-Processing Audit ony) Report (Institute of Internal Auditors Inc., FLA, 1977
Trang 17It is very imperative to recognize the fact that while computers are highly reliable to perform given functions, they only do what they are programmed to do and they function with information that is provided by humans An error in programming or an error or omission in providing input could prove catastrophic and could result in a loss that could add up to millions of dollars Consider the following example
" A manufacturing company converted its inventory control system from a manual system to a com- puterized one They were pleasantly surprised but somewhat perplexed when the reported inventory increased by approximately $1 million Subsequent investigation eventually disclosed that the instruction manuals for their product were classified under the same part number as the machine they described The 50 manuals in stock
were treated by the computer as also being worth
$20,000 aviece."9
It is clearly evident that a small error such as the one mentioned above resulted in inflating the company's assets by $1 million, which could have been catastrophic had it not been detected in time Thus, we see, that, while computers can be highly beneficial on the one hand, on the other hand, a minor flaw or error in the program or data can prove to be disastrous The key to utilizing the computer most effectively is harnessing its power with the implemen- tation of effective checks and controls to minimize the risk of loss
9 Mair, William C.; Wood, Donald R.; & Davis,
Keagle W : Computer Control & Audit (Institute of Internal
Auditors Inc., FLA,1976)
Trang 18In order to understand better the Internal Audit function, one must understand the concept of Internal Controls The American Institute of Certified Public Accountants has defined internal control as : "The plan of organization and all of the coordinate methods and measures adopted within a business to safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency, and encourage adherence to pre-
scribed managerial controls" 10
In simple terms, internal controls are procedures implemented within a business organization that:
(a) Safeguard the assets of the business
(b) Ensure the accuracy, reliability, completeness and timeliness of all business transactions, records and reports (both manual and computerized)
Trang 19(e) Evaluate management control and performance to
ensure management is utilizing available company resources in the most effective and efficient
manner
The implementation of internal controls is an absolute necessity in today's business environment They play a significant role in the prevention, reduction and detection of business risks or exposures Some of these business risks or exposures are as follows
(1) Erroneous record keeping or reporting (2) Fraud, theft or embezzlement
(3) Business interruption due to loss or destruction of information or assets
Internal auditors play a significant role in as much as they reduce business losses by the prevention, reduction or detection of the above business risks or exposures
The primary objective of the Internal Audit function is the evaluation and verification of these internal controls together with the evaluation and verifica- tion of data-processing results The Internal Auditor's review and evaluation of these internal controls provides assurance of the integrity of financial records and also
Trang 20assists them in determining areas of weakness within the corporate structure
Traditionally, prior to the advent of EDP, the system of record keeping, data-processing and reporting was on a manual basis and the internal controls in effect at that time proved efficient and effective However, with the advent of EDP, traditional internal controls are no longer as effective as they were prior to the introduction of computers into the business environment Traditional controls have been revised and have taken on new forms to accommodate EDP In order for one to comprehend the evolving role of the Internal Auditor in the EDP environment, one must appreciate the changes in internal control which have been brought about by EDP
Controls are introduced in order to accommodate the prevention, reduction and detection of business risks and exposures While the introduction of EDP in the business environment does not bring about any changes in the basic concepts of controls, it does result in changes in the effectiveness of these controls and their implementation
The introduction of EDP results in more and more information being stored on machine readable mediums such as magnetic disks or tapes Records maintained on these storage devices are not readable in their natural state and require special procedures As a result, several changes occur in the traditional audit trail, which consists of documents,
Trang 21books and work-papers that enable an internal auditor to trace the occurrence and recording of a business transac~ tion
The introduction of EDP results in the reduction, or, in some cases, the elimination of certain documents ordinarily employed in a manual system Traditionally, where transactions were supported by some sort of documen- tary evidence such as signatures or initials or hard copy documents, today fewer and fewer visible documents exist They have been gradually replaced by machine-readable files This shift in recording data from paper to machine readable files has its inherent disadvantages Machine-readable records could easily be altered without any trace of evidence, thereby making a business organization easily susceptible to fraud, theft and embezzlement Further, the detection of alterations made to machine-readable data is very difficult and in certain instances virtually impossible
Computerization has resulted in the integration of accounting data and records Integration results in reducing redundant data and the centralization of data files The database concept has resulted in gathering data with similar elements and arranging it in a logical sequence in a single central file accessible to all user departments As a result of this integration, there occurs a shift in the points at which controls are implemented The traditional internal
Trang 22controls which relied on segregation of duties and supervision are no longer effective within the EDP environment The introduction of EDP has resulted in additional user departments becoming involved in a process, where only one department existed before, thereby resulting
in the diffusion of supervisory controls
Further, the introduction has resulted in the implementation of various processing controls within application programs themselves Carefully prepared and controlled computer programs will generate consistent and accurate processing results, while, on the other hand, if the computer programs contain errors or lack effective controls, a business organization could end up with erroneous processing results As a result, introduction of input, processing and output controls is a basic necessity in today's EDP environment
It is clearly evident from the preceding discussion that, while the fundamental concepts of internal controls remain the same, the effectiveness of traditional controls is considerably minimized with the introduction of EDP in the business environment There is an urgent need to restructure the system of internal controls in order for them to be effective in the reduction, prevention and detection of business risks and exposures One of the key groups that is responsible for the proper implementation and structuring of internal controls is that of the Internal
Trang 23Auditor The Internal Auditor is an integral part of the internal accounting control system of a business organization He is responsible for ensuring that the objectives of an internal accounting control system are achieved
The computerization of the accounting system has significantly affected the Internal Auditor and the work performed by him Changes in the record keeping system, audit trails, source documents, introduction of internal controls within computer programs, introduction of new input and output controls, the concentration of data-processing activities, etc., have all necessitated the Internal Auditor to re-evaluate the traditional auditing procedures and internal controls and to adopt new procedures and controls that are more effective and efficient within the EDP environment The Internal Auditor is required to familiarize himself with the concept of EDP and the controls synonymous with EDP in order to effectively evaluate the internal control system with the use of computers in the auditing process
Trang 24THE GROWING GAP
Rapid economic growth and an increase in the complexity of government and legislative regulation and regulatory reporting requirements have resulted in management becoming increasingly reliant upon EDP to meet its vast and complex information requirements With the increase in the complexity of managements information requirements, newer computer application systems are being developed to handle the various business functions Developments in the area of computer application systems have kept pace with changes in managements information requirements EDP systems have easily developed to meet almost every management need This growth within the EDP area of a business organization has brought about resultant changes in the internal control of audit procedures of the organization which are of significant importance in order to ensure the continued accuracy, completeness and timeliness of the information generated by the EDP department However, the Internal Audit function, which is considered the guardian of these internal controls, has not been able to keep pace with the recent developments in EDP; and there appears to be a widening gap between EDP and the Internal Audit function This widening gap is a cause of great concern to management If this gap keeps widening, the results could be catastrophic The very integrity and
Trang 25security of the management information system is at stake Lack of effective controls and audit procedures could result in inaccurate, untimely or incomplete information being generated It would also provide a haven for white collar crime, increasing the incidence of computer fraud, theft and embezzlement
There is a growing need for management to re-evaluate the Internal Audit function and to take the necessary steps to protect the integrity and security of the information system Some of the areas in which changes in procedures and policies need to be implemented are discussed below :
(1) Internal Control
Internal controls are becoming increasingly important in the EDP environment to ensure the accuracy, timeliness and completeness of information, as well as to ensure the physical security of business assets In the past, very little, if any, attention was given to internal controls within the EDP environment Recent surges in the occurrences of computer errors, losses, fraud, theft, etc that have been reported in the media have been instrumental in increasing the importance of internal controls
There is an urgent need to integrate traditional controls with newer controls that have been designed for EDP systems The Internal Auditors have showed a tendency to
Trang 26avoid getting involved during the implementation of computer controls, primarily due to the lack of knowledge of EDP, in general, and computer programming in particular On the other hand, end users and system designers have paid very little attention to controls when implementing a system As a result, millions of dollars have been spent on developing sophisticated application systems that lack adequate controls
Further, during pre-installation testing of computer application systems, the Internal Auditors have been minimally involved Traditionally, pre-installation testing has been conducted with end-users and data-processing personnel only As a result, there have been several instances where the scope of such testing has been compromised to maintain project schedules, thereby, resulting in the implementation of ineffective controls Also, quite often, such testing is conducted by the same group of people who are instrumental in the development of the application system This would negate the very purpose of independent testing to ensure accuracy
Post-installation review of the computer application system is equally important as pre-installation testing to ensure continued reliability and accuracy of processing results Traditionally, Internal Auditors have chosen to accept controls internal to the system, as they are They restricted the scope of their audits to reviewing
Trang 27systems and procedures related to the feeding of data into the computer system and reviewing and verifying the accuracy and completeness of the resultant computer output They felt that if the external controls proved effective, the internal computer controls could automatically be considered reliable This system of auditing has been termed "auditing around the computer" However, the recent rise in the incidence of computer crime and fraud have led management and the internal auditors to re-evaluate their outlook Management is gradually recognizing the fact that the procedure of "auditing around the computer" has considerably restricted the scope of the Internal Auditor and is inadequate, and that there is an urgent need to widen the scope of Internal Audit to include steps to review and verify the procedures and controls which are internal to the EDP system This form of post-installation review plays a significant role in the verification of computer application procedures, internal calculations, control routines, etc., Further, it ensures that these computer procedures and controls have not become obsolete as a result of growth or other changes in the organizational environment
(2) Greater Internal Audit Involvement
Traditionally, the Internal Auditors have tended to participate minimally in all phases related to the
Trang 28implementation of an EDP system However, in today's business environment, where management is totally reliant on EDP for meeting its information needs and where there has occurred a greater diffusion of responsibilities, the need for the Internal Auditor to become involved in all phases of data-processing is a foregone conclusion in order to ensure the continued accuracy and reliability of data-processing results In the past, millions of dollars have been wasted in terms of operational delays, down time, modification of applications, etc., where Internal Auditors became involved with the data-processing system after a particular application had been installed and inherent weaknesses were determined to exist in these applications Further, as a result of non-involvement of Internal Auditors, several applications have been developed, in the past, which adequately fulfilled the needs of the user departments, but lacked adequate checks and control routines to ensure review and verification of application procedures, thereby, resulting in a greater incidence of errors, omissions, fraud, theft, etc
It is imperative to recognize the fact that computers are designed to perform only those functions that they are programmed for The function of programming is performed by humans and not the computer Further, the computer is designed to process data which is also provided by humans Therefore, the reliability of the computers
Trang 29performance hinges on the reliability of the humans who do the programming and feed the data to the computer The computer follows the long standing principle of "Garbage In - Garbage Out" In other words, improper input will automatically generate improper processing results Further, weaknesses in the application programs will produce unreliable results even though the proper input is provided According to Mair, Wood and Davis, "Logic problems in computer processing do not simply evolve from any natural process They are caused ! The vast majority of the cases are caused by poor or non-existent communications between the data-processing personnel and the other members of the
business organization ".11 They further go on to say that
error rates in programming as high as 30 % are not uncommon Rates as high as 60% have been observed and some of these errors have had catastrophic financial consequences which could amount to millions of dollars
A study conducted, by the Institute of Internal Auditors, on control and audit in a computerized business environment recommends that, "the most powerful use of audit time in a computerized environment is involvement in systems under development".12 One of the supplemental audit
11 Mair, William C,; Wood, Donald R.;& Davis,
Keagle W : Computer Control & Audit ( Institute of Internal Auditors Inc., FLA, 1976)
12 Porter, Thomas W & Perry, William E : EDP Controls & Auditing ( Wadsworth Inc., Belmont, CA, 1981)
Trang 30standards mandated by the United States General Accounting Office (G.A.0.) effective as of January 1, 1980 is : "The auditor shall actively participate in reviewing the design and development of new data-processing systems or applications, and significant modifications thereto, aS a normal part of the audit function".13 " Based on the successful experience of leading organizations visited
during the study, SRI (Stanford Research Institute)
concludes that greater involvement by the internal audit functions in all phases of data-processing is necessary and proper in today's increasingly complex data-processing environment ".14 Based on all these studies and mandates, it is clearly evident that increased participation by the Internal Auditor in practically all phases of the data-processing environment is an absolute necessity to ensure an effective EDP system
(3) Internal Audit Staff Development
The increasing complexity in managements information requirements has revolutionized the Internal Audit function within a business organization The
13 Porter, Thomas W & Perry, William E : EDP
Controls & Auditing ( Wadsworth Inc., Belmont, CA, 1981) 14 Stanford Research Institute : Systems Auditability & Control Study - Data-Processing Audit ones Report (Institute of Internal Auditors Inc., FLA, 1977
Trang 31tremendous developments in the EDP field have led to the emergence of a new type of Internal Auditor - the EDP Auditor " Currently, about 60% of the large U.S corporations have EDP Audit functions However, of those that have an EDP Audit function, more than two-thirds were established since 1970, which indicated that the EDP Audit specialty is a relatively recent phenomenon".15 With computers becoming a mainstay in the business environment, Management has been faced with the painful process of staffing the EDP Audit department within an organization Coupled with the problems of staffing are the problems related to training and retention of the staff
Management has attempted to solve the problem of staffing by using various alternatives, such as, training existing Internal Auditors in the concepts of data-processing and the EDP Audit function, forming a separate EDP Audit staff consisting of data-processing specialists or even a hybrid approach which is a combination of the two approaches above and involves training existing Internal Audit staff on the one hand, and integrating data-processing specialists with the Internal Audit staff, on the other hand All of these alternatives have been tried by many business organizations with mixed results This
15 Stanford Research Institute : Systems
Auditability & Control Study - Data-Processing Audit T0 Report (Institute of Internal Auditors Inc., FLA, 1977
Trang 32process is even more complicated due to the absence of a supply of Internal Auditors proficient in computerese Currently, there are very few, if any, Universities, that offer a comprehensive EDP Audit program designed to train a student thoroughly with the EDP Audit function
Closely linked to the problem of hiring proficient EDP auditors, is the problem of staff training Training is an essential element the quality of the Internal Auditor's job performance However, a U.S Mail Survey conducted by the Stanford Research Institute indicates that about half the large U.S corporations with Internal Auditors have no budget for audit training Almost 90% of those organizations that have such a budget allocate less than 5% of the total
Internal Audit budget for training 16
(4) EDP Audit Tools and Techniques
Since the early 1960's, rapid advancement has been made with EDP within the business organization With the dramatic increase in the complexity of managements information requirements, new data-processing technology and concepts have been developed to meet these ever growing requirements These developments have been in the form of
16 Stanford Research Institute : Systems Auditability & Control Study - Data-Processing Audit hs la Report (Institute of Internal Auditors Inc., FLA, 1977
Trang 33increased use of high-speed data communication facilities, distributed data-processing, integrated application systems, database concept, etc There has occurred a dramatic transition in the system of record keeping from manual systems to automated systems Automation has resulted in bringing about changes in control procedures, thereby, necessitating changes in the role of the Internal Audit function Traditional audit tools and techniques employed by the internal auditor have become obsolete There is an urgent need to develop new tools and techniques Based on a study conducted, the Stanford Research Institute concluded that, " few present internal audit tools and techniques are adequate for verifying the accuracy and completeness of controls being used in computer application systems".17 The Stanford Research Institute has identified 28 EDP Audit tools and techniques used by internal auditors in the performance of their duties According to a mail survey conducted by the Stanford Research Institute, " the most frequently used tools are generalized audit software, manual tracing and mapping, and test decks."18 The Stanford Research Institute also observed that, "although an increasing number of auditors are using the computer, many are still auditing around data-processing While this system of auditing is effective for auditing historical records, it
17 Ibid
18 Ibid
Trang 34has a serious weakness in that it overlooks the possibility that conditions not previously present could occur in the future with unpredictable results."19
This clearly indicates that most of the work done in the area of EDP audit tools and techniques is still in its development stages and the Internal Auditors have a long way to go before they catch up with the rapidly advancing field of EDP Further, the development of adequate tools and techniques is not sufficient in and of itself The Internal Auditors should recognize the potential of the computers and proceed to perform more and more audits "through the computer" rather than "around the computer" The computer can also be used as a tool by the Internal Auditor in the performance of his various duties
19 Ibid
Trang 35CONCLUSION
It is clearly evident from the preceding discussion that there is a pressing need on the part of management to reevaluate the role of the Internal Auditor in the light of rapid technological changes that have occurred in the business environment in general, and the EDP environment in particular Management should take the initiative and provide the members of the organization with proper direction Management should bear the ultimate responsibility for the successful operation of the EDP and Internal Audit functions Some of the steps necessary to assist management in overcoming difficulties associated with EDP Auditing and to ensure a reliable and effective EDP system are as follows :
(1) Redefine the scope of the Internal Audit function
and broaden the scope to include recent changes in
the EDP environment
(2) Clearly establish areas of responsibility within the EDP, Internal Audit and the various user departments of the organization
Trang 36(3) (4) (5) (6) (7)
Issue a mandate requiring members of the EDP and Internal Audit Staff to work in close coordination with each other in order to attain company goals
and objectives
Policies should be implemented for increased participation on the part of Internal Auditors in all phases of the EDP function
Steps should be taken to ensure periodic and regular assessments of audit controls and procedures, application systems, control routines, etc to ensure continued reliability and accuracy of the data-processing results
Emphasis should be placed on ensuring that audits are performed "through the computer" rather than "sround the computer" It is imperative that the Internal Auditors fully harness the tremendous potential that computers have to offer
The function of recruiting, training and retaining EDP Auditors should be reevaluated Management should recognize the significance of this element and expend more time, effort and money towards
Trang 37(8)
(9)
ensuring the smooth functioning of this element within the organization
The pressing need for newer audit tools and techniques should be recognized by management and steps should be implemented to encourage the development of new audit tools and techniques - both from within the organization and outside the organization too
Last but not least, management should implement steps towards the formal documentation of EDP Audit activities which can serve as an audit guide or manual for future referencing Steps should be taken to standardize the various audit procedures Management should work in cooperation with the Institute of Internal Auditors in developing EDP Auditing standards similar to the "Generally Accepted Auditing Standards" developed by the AICPA
Trang 38(1) (2) (3) (4) (5) REFERENCES
Mair, William C.; Wood, Donald R.; & Davis, Keagle W.: Computer Control & Audit
(Institute of Internal Auditors Ine., FLA, 1976)
Porter, Thomas W., & Burton, John C Auditing : A Conceptual Approach (Wadsworth
Inc., CA, 1971)
Stanford Research Institute : Systems Auditability & Control Study ~= Data Processing Audit Practices Report (Institute of Internal Auditors Inc., FLA, 1977)
Statements on Auditing Standards
(paragraph- 320.09)
Porter, Thomas W., & Perry, William E : EDP Controls & Auditing (Wadsworth Inc., Belmont, CA, 1981)