CHAPTER 22 AUDITING IN A COMPUTER INFORMATION SYSTEMS (CIS) ENVIRONMENT I Review Questions Additional planning items that should be considered when computer processing is involved are:       The extent to which the computer is used in each significant accounting application The complexity of the computer operations used by the entity, including the use of an outside service center The organizational structure of the computer processing activities The availability of data The computer-assisted audit techniques to increase the efficiency of audit procedures The need for specialized skills Understanding the control environment is a part of the preliminary phase of control risk assessment Computer use in data processing affects this understanding in each of the parts of the control environment as follows: The organizational structure – should include an understanding of the organization of the computer function Auditors should obtain and evaluate: (a) a description of the computer resources and (b) a description of the organizational structure of computer operations Methods used to communicate responsibility and authority – should include the methods related to computer processing Auditors should obtain information about the existence of: (a) accounting and other policy manuals including computer operations and user manual and (b) formal job descriptions for computer department personnel Further, auditors should gain an understanding of: (a) how the client’s computer resources are managed, (b) how priorities for resources are determined and (c) if user departments have a clear understanding of how they are to comply with computer related standards and procedures Methods used by management to supervise the system – should include procedures management uses to supervise the computer operations Items that are of interest to the auditors include: (a) the existence of systems design and documentation standards and the extent to which they are used, (b) the existence and quality of procedures for systems and program modification, systems 22-2 Solutions Manual - Assurance Principles, Professional Ethics… acceptance approval and output modification, (c) the procedures limiting access to authorized information, (d) the availability of financial and other reports and (e) the existence of an internal audit function The “audit trail” is the source documents, journal postings and ledger account postings maintained by a client in order to keep books These are a “trail” of the bookkeeping (transaction data processing) that the auditor can follow forward with a tracing procedure or back ward with a vouching procedure In a manual system this “trail” is usually visible to the eye with posting references in the journal and ledger and hard-copy documents in files But in a computer system, the posting references may not exist, and the “records must be read using the computer rather than the naked eye.” Most systems still have hard-copy papers for basic documentation, but in some advanced systems even these might be absent The audit trail (sometimes called “management trail” as it is used more in daily operations than by auditors) is composed of all manual and computer records that allow one to follow the sequence of processing on (or because of) a transaction The audit trail in advanced systems may not be in a human-readable form and may exist for only a fraction of a second The first control implication is that concern for an audit trail needs to be recognized at the time a system is designed Techniques such as integrated test facility, audit files and extended records must be specified to the systems designer The second control implication is that if the audit trail exists only momentarily in the form of transaction logs or master records before destructive update, the external auditor must review and evaluate the transaction flow at various times throughout the processing period Alternatively, the external auditor can rely more extensively on the internal auditor to monitor the audit trail Major characteristics: Staff and location of the computer – operated by small staff located within the user department and without physical security Programs – supplied by computer manufacturers or software houses Processing mode – interactive data entry by users with most of the master file accessible for inquiry and direct update Control Problems: Lack of segregation of duties Lack of controls on the operating system and application programs Auditing in a Computer Information Systems (CIS) Environment 22-3 Unlimited access to data files and programs No record of usage No backup of essential files No audit trail of processing No authorization or record of program changes Auditing through the computer refers to making use of the computer itself to test the operative effectiveness of application controls in the program actually used to process accounting data Thus the term refers only to the proper study and evaluation of internal control Auditing with the computer refers both to the study of internal control (the same as “auditing through”) and to the use of the computer to perform audit tasks Both are audit procedures that use the computer to test controls that are included in a computer program The basic difference is that the test data procedure utilizes the client’s program with auditor-created transactions, while parallel simulation utilizes an auditor-created program with actual client transactions In the test data procedure the results from the client program are compared to the auditor’s predetermined results to determine whether the controls work as described In the parallel simulation procedures the results from the auditor program are compared to the results from the client program to determine whether the controls work as described The test data technique utilizes simulated transactions created by the auditor, processed by actual programs but at a time completely separate from the processing of actual, live transactions The integrated test facility technique is an extension of the test data technique, but the simulated transactions are intermingled with the real transactions and run on the actual programs processing actual data User identification numbers and passwords prevent unauthorized access to accounting records and application programs The transaction log does not prevent unauthorized access but may be reviewed to detect unauthorized access Even then, responsibility could not be traced to a particular individual without user identification numbers and passwords The transaction log is more important to establish the audit trail than to detect unauthorized access 10 Generalized audit software is a set of preprogrammed editing, operating, and output routines that can be called into use with a simple, limited set of programming instructions by an auditor who has one or two weeks intensive training 22-4 Solutions Manual - Assurance Principles, Professional Ethics… 11 Phases Define the audit objectively Feasibility Planning Application design Coding Testing Processing Evaluation Noncomputer auditor involvement Primary responsibility Evaluate alternatives Review with computer auditor none none Review final test results, compare to plan Actual computer processing – none Use of results – depends on application Full responsibility 12 Automated microcomputer work paper software generally consists of trial balance and adjustment worksheets, working paper (lead schedule) forms, easy facilities for adjusting journal entries, and electronic spreadsheets for various analyses 13 A microcomputerized electronic spreadsheet can be used instead of paper and pencil to create the form of a bank reconciliation, with space provided for text lists of outstanding items (using the label input capability), and math formulas inserted for accurate arithmetic in the reconciliation Printing such a reconciliation is easy (and much prettier than most accountants’ handwriting!) 14 With either data base or spreadsheet software packages, macros (sets of instructions) can be developed for retrieving data from the working trial balance and converting this data into classified financial statements If one or more subsidiaries are to be included, the consolidated process can also be automated by the inclusion of special modules designed for that purpose The standard audit report, as well as recurring footnotes, can be included in the data base, and modified to fit the circumstances of the current year’s audit results 15 Relational data base packages have all the advantages of spreadsheets, and, in addition, have the capacity to store and handle larger quantities of data They are especially useful in manipulating large data bases, such as customer accounts receivable, plant assets, and inventories II Multiple Choice Questions a c c d d d c b 10 11 12 b d b b 13 14 15 16 c a d b 17 b 18 c 19 d Auditing in a Computer Information Systems (CIS) Environment 22-5 III Comprehensive Cases Case a Auditing “around” the computer generally refers to examinations of transactions in which a representative sample of transactions is traced from the original source documents, perhaps through existing intermediate records in hard copy, to output reports or records, or from reports back to source documents Little or no attempt is made to audit the computer program or procedures employed by the computer to process the data This audit approach is based on the premise that the method of processing data is irrelevant as long as the results can be traced back to the input of data and the input can be validated If the sample of transactions has been handled correctly, then the system outputs can be considered to be correct within a satisfactory degree of confidence b The CPA would decide to audit “through” the computer instead of “around” the computer (1) when the computer applications become complex or (2) when audit trails become partly obscured and external evidence is not available Auditing “around” the computer would be inappropriate and inefficient in the examination of transactions when the major portion of the internal control system is embodied in the computer system and when accounting information is intermixed with operation information in a computer program that is too complex to permit the ready identification of data inputs and outputs Auditing “around” the computer will also be ineffective if the sample of transactions selected for auditing does not cover unusual transactions that require special treatment c (1) “Test data” is usually a set of data in the form of punched cards or magnetic tape representing a full range of simulated transactions, some of which may be erroneous, to test the effectiveness of the programmed controls and to ascertain how transactions would be handled (accepted or rejected) and if accepted, the effect they would have on the accumulated accounting data (2) The auditor may use test data to gain a better understanding of what the data processing system does, and to check its conformity to desired objectives Test data may be used to test the accuracy of programming by comparing computer results with results predetermined manually Test data may also be used to determine whether errors can occur without observation and thus test the system’s ability to detect noncompliance with prescribed procedures and methods Assurance is provided by the fact that if one transaction of a given type passes a test, then all transactions containing the identical test characteristics will – if the appropriate control features are functioning 22-6 Solutions Manual - Assurance Principles, Professional Ethics… – pass the same test Accordingly, the volume of test transactions of a given type is not important d In addition to actually observing the processing of data by the client, the CPA can satisfy himself that the computer program tapes presented to him are actually being used by the client to process its accounting data by requesting the program of a surprise basis from a computer librarian and using it to process test data The CPA may also request, on a surprise basis, that the program be left in the computer at the completion of processing data so that he can use the program to process his test data This procedure may reveal computer operation intervention If, so, ensures that a current version of the program is being audited, an important procedure in computer installations newly installed and undergoing many program changes To gain further assurance about this matter, the CPA should inquire into the client’s procedures and controls for making program changes and erasing superseded program tapes, and should examine log tapes where available Case a Document retention IMPACT ON THE INTERNAL CONTROL SYSTEM: In on-line real time systems and EDI systems, the audit trail is frequently modified in the form of reduced documentation To compensate, internal controls should provide for adequate input editing, as well as some form of transaction log as documentation at the input stage IMPACT ON THE INDEPENDENT AUDIT: In examining internal control, under these circumstances, the auditor must rely more on observation, inquiry, and reprocessing of transactions for control testing purposes, and less on document testing If documents are retained for only a short period, the auditor should also consider the feasibility of frequent visits for both substantive and control testing purposes b Uniformity of processing IMPACT ON THE INTERNAL CONTROL SYSTEM: The impact of this internal control characteristic is to generally strengthen control by increasing the consistency of processing Once the proper controls are installed and tested, processing consistency increases the accuracy of transaction processing over that which exists in manual systems IMPACT ON THE INDEPENDENT AUDIT: The auditor must emphasize control study and testing at the point of transaction input and processing to determine that the necessary controls exist and are functioning Upon determining that the necessary input and processing controls are in place Auditing in a Computer Information Systems (CIS) Environment 22-7 and functioning properly, the auditor may elect to perform little or no document testing c Concentration of functions IMPACT ON THE INTERNAL CONTROL SYSTEM: In manual systems, separation of functional responsibilities provides a double-check for the purpose of enhancing processing accuracy In EDP accounting systems, consistency of processing removes the need for double-check IMPACT ON THE INDEPENDENT AUDIT: The auditor must determine that the necessary input editing controls are in place and functioning to ensure that transactions are accurately introduced into the processing stream Moreover, to ensure checks and balances within the electronic data processing function, the auditor should study the organizational structure of the EDP group to ascertain proper separation among the following functions: Systems analysis and design Program design, development, and testing Computer operations involving data processing Distribution of EDP output and reprocessing of errors d Access to data bases IMPACT ON THE INTERNAL CONTROL SYSTEM: The greater the number of input terminals providing access to data bases, and the more integrated the data base, the greater the danger of unauthorized access To protect the data bases under these circumstances, the internal control policies and procedures should provide for effective control over identification codes and passwords permitting access to data bases; and the control policies should also fix responsibility in designated individuals for specified elements of data bases In batch systems, access to magnetic tape and disk files and programs should be secured by assigning responsibility over these files to one or more individuals designated as “librarians,” and instituting a formal “checkout” system for releasing and reacquiring files and programs IMPACT ON THE INDEPENDENT AUDIT: The auditor should determine that proper control over I.D codes and passwords exists, that codes and passwords are changed frequently and voided upon termination of employment, and that responsibility for elements of data bases has been appropriately fixed In batch systems, the auditors should determine that tape and disk files and programs stored off-line are properly secured 22-8 Solutions Manual - Assurance Principles, Professional Ethics… Case a Test data approach: The auditor prepares simulated input data (both valid and invalid transactions) that are processed, under the auditor’s control, by the client’s processing system Advantage: A good way of testing existing controls for proper functioning Disadvantage: Difficulty in designing comprehensive test data; Difficulty in ascertaining whether the programs tested are the same programs used by the client in processing actual transactions and events during the year ITF approach: The auditor creates a fictitious entity within the client’s actual data files, and processes simulated data during live processing by client The auditor then compares the results of processing with anticipated results Advantage: Greater assurance that programs tested are programs used by the client (the approach can be applied at different points in time during the year) Disadvantage: Difficult to remove test data from the system without harming client’s files Tagging and tracing: This is a technique whereby an identifier or “tag” is affixed to a transaction record; and the tag triggers “snapshots” during the processing of transactions Following the tagged transactions through the system permits the auditor to evaluate the logic of the processing steps and the adequacy of programmed controls Advantage: The use of actual data eliminates the need for removing data from the client’s processing system Disadvantage: The auditor analyzes the transactions only after processing is completed SCARF: A systems control audit review file is an audit log used to collect information for subsequent analysis and review An imbedded audit module monitors selected transactions as they pass by specific processing points The module then captures the input data so that relevant information, accessible only by the auditor, is displayed at key points in the processing system Advantage: Utilizes real- rather than simulated-transaction data, and does not require reversing the entries Disadvantage: Does not necessarily capture erroneous data Auditing in a Computer Information Systems (CIS) Environment 22-9 Surprise audit: The auditor, on an unannounced basis, requests copies of client’s programs, and compares them with auditor’s copy of authorized versions Advantage: Assists the auditor in determining whether client personnel are using authorized versions of programs in processing data Disadvantage: Auditor may not always be notified by the client when program changes are made, thus making the comparison irrelevant b Inasmuch as each of the above alternatives have distinct advantages and disadvantages, a combination approach overcomes the disadvantages resulting from using a single approach Using ITF, for example on a few simulated transactions, while applying the tagging and tracing or SCARF approach for numerous actual transactions, provides effective testing of control procedures for error prevention and detection, without requiring the reversal of a large number of simulated transactions from the client’s system c In auditing around the computer, the auditor predetermines the processing results (output) of selected input data, and compares the predetermined results with actual computer output The advantage of this approach is its ease of application; a significant disadvantage is that the auditor gains no understanding of how the computer processes data, nor of the controls which have been incorporated into the computer programs In auditing through the computer, the auditor actually tests the programmed controls used in processing specific applications Such techniques as design phase auditing, ITF, tagging and tracing, SCARF, test data, and surprise audit are examples of auditing through the computer d Parallel simulation is an automated version of auditing around the computer in that the auditor creates a set of application programs that simulate the processing system, and compares output from the real and simulated systems Comparison of input with output ignores the essential characteristics of the processing system and assumes that if the outputs are identical, the system is processing transactions accurately The auditor might elect to use parallel simulation in combination with design phase auditing Design phase auditing ensures that the necessary controls are installed during system design By permitting the auditor to test large volumes of transactions, parallel simulation helps to confirm whether these controls are working 22-10 Solutions Manual - Assurance Principles, Professional Ethics… Case (a) Test decks, also called “test data,” are sets of computer input data which reflect a variety of auditor-identified transactions for verification through actual computer processing to detect invalid processing of results (i.e., existing programs run test data) Ideal test data should present the application under examination with every possible combination of transactions, master file situations, and processing logic which could be encountered during actual comprehensive processing Test data are usually processed separately from actual data using copies of master files Test decks are most feasible when the variety of transactions processing and controls is relatively limited (i.e., fairly simple files) Uses include checking and verifying: (1) input transaction validation routines, error detection, and application system controls, (2) processing logic, and controls associated with creation and maintenance of master files, (3) computational routines such as interest and asset depreciation, and (4) incorporation of program changes (b) Parallel simulation consists of the preparation of a separate computer application that performs the same functions as those used by the actual application programs The simulation programs read the same input data as the application programs, use the same files, and attempt to produce the same results (e.g., real data run through test programs) These simulated results are matched with those from the live programs, providing a means for testing through comparison Uses include all those cited for test decks (c) The integrated test facility approach permits the introduction of auditorselected test data into a computer system with actual or “live” data and then traces the flow of transactions through the various system processing functions for comparison to predetermined actual results An ITF involves the creation or establishment of a “dummy” entity (e.g., a branch or division) to receive the results of the test processing Therefore, transactions are processed against the test entity together with actual transactions Test data must be removed from the entity’s records upon completion of the test Uses are identical to the test deck technique (d) Tagging and tracing and SCARF are forms of transaction tracking provided only for auditor selected computer inputs carrying a special code If the capability is provided in the application system in advance, the attachment of a code to any input transaction can be made to generate a printed transaction trail for that item following each step of the application processing Auditing in a Computer Information Systems (CIS) Environment 22-11 Uses include: (1) determining the impact of specific transactions on master records or calculations in high volume systems, (2) “flagging” unusual or abnormal transactions, and (3) “debugging” application programs Case In an audit of a computer-based system, adequate training and experience must be directly related to EDP In particular, the auditor should be knowledgeable of what computer systems do, how to test the operations of an EDP system, and how to use EDP-unique documentation The training and proficiency standard contributes to satisfaction of the independence standard by enabling the auditor to make his own decisions and judgments Otherwise, he might tend to subordinate his judgment to other persons, possibly to client personnel When the auditor lacks training and proficiency, it is virtually impossible to maintain an operational independence over audit decisions An independence of mental attitude is futile if actual decisions are subordinated to others The exercise of due audit care requires a critical review at every level of audit supervision of the work done and the decisions made by auditors Lacking the requisite skills and lacking independent decisions, the due care expected of an auditor at operational, supervisor, and review levels cannot be delivered The Philippine Standards on Auditing require adequate planning and supervision of assistants Training and proficiency in computer systems auditing is necessary in order to plan access to computerized records, programs, and to obtain machine time for conducting audit procedures The planning should provide for an early examination of the computer system so that further procedures involving non-computer control and accounting features may be planned should they depend upon computer control procedures Training and proficiency are very important for being able to obtain an understanding of the internal control structure in a computer system Client personnel will expect audit personnel to be capable of working with a computer system The Philippine Standards on Auditing also require the auditor to obtain sufficient competent evidential matter to provide a basis for an opinion on financial statements Documentary evidence relating to a computer system includes program flow charts, logic diagrams, and decision tables that are not normally used in non-computer systems Since these types of documentation are a part of the evidence, they must be understood by the auditor, and understanding of them comes through training and proficiency in their use  ... operated by small staff located within the user department and without physical security Programs – supplied by computer manufacturers or software houses Processing mode – interactive data entry by. .. use with a simple, limited set of programming instructions by an auditor who has one or two weeks intensive training 22-4 Solutions Manual - Assurance Principles, Professional Ethics… 11 Phases... processing of data by the client, the CPA can satisfy himself that the computer program tapes presented to him are actually being used by the client to process its accounting data by requesting the