AUDITING IN A COMPUTERIZED ENVIRONMENT

AUDITIN

th the rapid development in technology in recent years, computer

ation systems (CIS) have become feasible, perhaps essential, for use
in SImall
scale business operatitons. Almost
all entities now use
sters to
computersto some extent in their accounting systems. This widespread use
mDutcrs
of has
computcrs has offered new opportunities for professional accountants
and has also created some challenging problems to auditors

less of the extent ot computerization or the methods of data

Kogardless

roCesstng beng used, the responsibility for the establi.hment and

mplementation ot appropriate internal control systems rests with
nanagement and those charged with govemance. The auditor's responsibility
sto obrain an understanding of the entity's intermal control system to be able
assess control risk and determine the nature, timing, and extent oftests to
be perfomed.

Characteristics ofComputer Information Systems (CIS)

Computer infomation systems have essential characteristics that

distinguish them from manual processing systems.

Lack of visible transaction trails

In manual system, it is nomaly possible to follow a transaction

a
records,
through the system by examining source documents, enty's be entered
and financial reports. In a CIS environment, data can
documents.
directly into the computer system without supporting
records and fles may not be printed and cannot be read
F'urthermore,
these visible documents,
Without using the computer. The absence of
examination of
5upporting the processing of transactions, makes the
evidence more difficult.
 functions may becombined in a CIS
evironment witho ening
ConsistencyofPerfomance theinternal control provided
apptopriate controls are
If the comns
med. If put in place. compensating
programmed. computer is
it will
as
functions exactly task,
CIS perfoms
processing never
1 specitic data the samema Systems generated transactions
to perform task in exactiy nanner.
progcammed
assigned
the
cess transactio
to process transactior
get
tired ofperforming of the computer Certain transactions may be initiated by the CIS itself without the
Because of this capability associated with ma with manual
that are normally need for an input document. For exampke, interest may be calkculated
uniformly,
clerical errors

On the
other hand, orrect rprogram
an incorrect
eliminated.
sult to consiste
consistc: and charged automaticaly to customers' account balances on the
processing
are
because it
wil result
could be very
coud
devastating basis of pre-authorized terms contained in a computer program.
erroneous data processing

Programs
Data and Computer
Ease of Access to Vulnerability of dataand program storage media
be accessed
data and computer programs may
In a CIS environment, In a manual system, the records are written in ink on substantial
unauthorized persons leaving visible evidence. Ttis
no Daper. The only way to lose the infotmation is to lose or to destroy
and altered by controls are incoporated to
that appropriate
physicalrecords. The stuation is completely different in a CIS
important, therefore, to data fies and programs only to the
the system to limit the access environment. The ntormation on the computer can be easly
could
authorized personnel. changed, leaving trace of the original content. This change
no

can be quickly
happen inadvertently and huge amount of information
Concentration of duties lost.
sound
is an essential characteristic of a
Proper segregation of duties of the
Internal Control in a CISEnvironment
internal control system. However, bccause of the ability
data there are functions that are
efficiently, apply in
computer to process uscd in manual processing also
in manual processing that are combined
in a
( Manr of the control proccdures
normally segregated a CIS environment. Examples of such procedures include
control
ot duties, and
authorization of transactions, proper segregation
environment.
the
clements of internal control are the same;
the function or independent checking. Thc elements
As a particular example, n manual processing, Computer just changes the
mcthods by which these
the responsbily
recording cash disbursements is incompatible with implemcnted.
servcs as
tor reconcling disbursements. Since one of these functions
a check upon the other, assigning both functions to one employee
would enable that employee to commit and conceal errors completeness, and
A
Taricty of controls performed to check accuracy,
are
used in
rregularities. A properly programmed computer, on the other hana. \Vhen computer processing is
transactions.
onceal ts unorization of can be
has no tendency
ormotivation to commit irregularities or internal control procedures
errors. Hence, what appears to be an
ot significant accounting applications, controls.
incompatible combinat ASSIEiCd into two types: general
and application
General Controls
and procedures
nat t
relate
CIS DIRECTOR
controlpolicies
e
Geoeral
contros are
those
infomation sy'stem. nese controls include
These conttole

the overall computer

to

1 Onganizational controls Systems Computer Other

there should
be a written plan
of the
Development Operations Functions
manual system,
Just as in a clear assignment ofof authoriethe authority and
with
onganization, the plan of an organizas

responsibility. In a
CIS environment, zation Systems Computer
system include segregation
should include scote
Analyst
for an entity's computer Operator Librarian
CIS department, and segregation
of duti
berween the user and
within the CIS department.

CJ apartment and user departments

Data Entry
a Segrpation Letoven the Programmer Operator Control Group
must be independent of all departmen
CIS department
within the enty that provide input data or that use output

generated by the CIS.

The fanction of CIS department is to process transactions.

Position Primary Responsibilities
However, no transaction will be processed unless it is
initiated by the user department. Therefore, all changes in
CIS Dirnctor Exercises control over the CIS operation.
computer fles must be initiated and authorized by the user
department. Systems Anahst Designs new systems, evaluates and improves existing
b. systems, and prepares specifications for programmers.
Stgrgation ofdutiues within the CIS department
Functions within the CIS Programmer Guided by the specifications of the systems analyst, the
department should be properiy
programmer writes a program, tests and debugs such
Segregated for
good organizational contrpls. The entity's programs, and prepares the computer operating
organizational structure should provide for definite lines of
authonty and responsibility within the CIS department. A instructions.
sample of an organizational structure within the Cio
department is presented below Compuder Operalor Using the program and detailed operating instructions
prepared by the programmet, computer operatoi
operates the computer to process ransaction_.
 ata tor
for procesiu
proce 3. Access Controls
data
and veriíesinput
Prepares
Data Extry
doc Every computer system should have
Operater Maintains
custody
of systcms
documentation to protectequipment, files, and
adequate securntyity contzols
Lirariam
should be imited only proprams.
programs and fles.
computer should Access the
to
authorizedemployees. operators and other
Reviews al nput procedures, monitors
rs compute
the use of
Additionaly, appropriate controls, such as
Cut Group processing, follows-up data processtng ertors, reviews passwords, must be
adopted in order to limit access
to data files and progtams
the
reasonableness butes output to
of output, and distributes only authorzed personnel
to

authorized personnel.
4. Data recovery controls
that each of the aho.
Optimal segregation of dutes dictates bove
employees. However, soma Onc of the characteristics of the CIS is the
asks should be assigned
to different vulnerability of files
not have
resources to maintain a large Cie
enough
and programs. Computer files can be casily lost and the loss of
entities may
these fles can be disastrous to an entdty. The survival of an
department entity
affected by such disaster depends on its ability to recover the files
limited number ot personnel, there are
ate
on a timely basis.
In small entities, with
some functions that may
be combined. But as a minimum, the
and computer operations A data recovery control provides for the maintenance of back-up
functions of systems development
and programmer should not files and off-site storage procedures. Computer files should be
must be segtegated. Systems analyst
and they should copied daily to tape or disks and secured off-site. In the event of
be allowed to use the progams they developcd,
the computer. Also, computer disruption, reconstruction of files is achieved by updating the
not be allowed to operate
should not participate in most recent back-up vith subseqvent transaction data. When
operators who nun the program
program design. A number
of computer related frauds have magnetic tapes are used, a common practice in file retention
resulted when these functions are combined. called Grandfather, fatler, son practice requires an entity to keep
the two most recent generaton of master tiles and transacton
tiles, in order to permit reconstruction of master files if needed.
2 Systems development and documentation controls
Software development as well as changes thercof must be
approved by the appropriate level of management and the user 5. Monitoring controls
department lo ensure that computer programs are tunctronng Monitoring controls are designed to ensure that CIS controls are
as designed, the program must be tested and modified, it needeu, working effectively as planned. These include periodic evaluation
by the user and CIS department. of the adequacy and effectiveness of the overall CIS operations,
conducted by persons within or outside the enty.
Moreover, adequate systems documentation must be mac
order to facilitate the use of the program as well as changes
may be introduced later into the system.
 Vulidity chec
Application Controls Infornation1 Cntered are

determinecompared
Intor
fn fle to with valid
transaction
involves ee stages:
three stages: the master ile
the authent infom
unformaton the
of involves capturiPu th emplotee master fle of the
Tbe
The processing
stage.
The input stage a
example,
ndicate the emplo may contain two input
For
the ma"
processing, and output olves
involves converting mass o gender "1" for male andvalid codes
mass of data; the
processing stage
information; and output stage invo
invo.
of
Acode
femalc. of "3" Is
Considered "2" for
invalid and will be rejected
raw data into useful br the computer.
to those who need
information in a form usetul
preparation of as input to these
relevant data are captrured sy'stem,
To ensure that all Sol-edecking digi
It. ensure that the data are accurately processed during the aring their
and to
financial intormation, controls or athother 1his is a mathematicaly calculated digit which is
conversion into meaningful
into the system. ro a document umber to detect common
usually added
mechanisms must be incorporated
in data submitted for processing transpositional errors
Application controls are
those policies and proccdures that relate,
Limit eherk
These designed to provide reasonable
are
specific use of the systen. and that thev aare Timit check or reasonable check is designed to ensure
assurance that all transactions are authorized, that data
processed completely, accurately and in a tumely' manner. These submitted for processing do not exceed a pre-detemined imit
or a reasonable amount.
include
Control lotals
1. Controls over input
A large number of errors in a computer system are caused by
These are totals computed based on the data submitted for
inaccurate or incomplete data entry. Input controls are designed processing Control totals ensure the completeness of data
to provide reasonable assurance that data submitted for before and after they are processed. These controls include
processing are complete, properly authorized, and accurately
fnancial totals, hash totuls, and record counts. As an example,
transated into machine readable form. assume the following data regarding the entity's disbursements
for the day.
Examples of input controls include: Voucher Na 141
Koy wrifhiatio
This requires data to be entered twice (usually by different
operators) to provide assurance that there are no key entry P15,000
errors committed. Voucher No. 142

Field check P20,000

This ensures that the input data agree with the required field
format. For example, all S$S number must contain ten Voucher No. 143
digts
An input of an employee's SSS number with more or less than
ten
digits will be rejected by the compute P5,000
 P20,000 +
15,000+ P20,000 + P5
P5 0 Testof Controlin a CIS environment
= P 40,000 (P 00)
Financial total + 142 + 143)
426 (141
Hash total= Like
manual processing environment,
manual

test of control in a CIS

Record count=3 onment involves
nent involv. evaluating internal control policies C
a
C a v i
the client's
to determine they are
if aad
policies
and
of the client's data functionin
p r o c

of the nature intended. Regardless

as

2. Controls over processing fotm tests

perform processing
tests of controls if they intend system, auditors must
to rely on the
cliene's intermal
are designed to provide reasonable control.

Processing controls
that input data are processed accurately, and that data
assurance

lost, added, excluded, duplicated

orimptone auditor's obj
The auditor's objectives and scope of the audit do not
are not controls that wete menti
y environment. However, the use of the
change in a CIS
all of the input oned computer changes the processing
changed. Almost
and storage of financial information and may affect the
controls because suc
of the procesing
earlier are also part organization and
the in cient's computer rocedures employed by the entity to achieve
controls are usually incorporated è
adequate internal control
progtam to
detect errors in processing of
transactions Accordingly, the methods employed by the auditor in testing the control
be atfected.
may also
3. Controls over output
Testing the reliability of general controls may include observing ciene's
reasonable assurance personnel in pertoming their duties, inspecting program documentation;
Output controls are designed provide
to
accurate and that
that the results of processing are complete, and observing the security measures' in force. In testing application
these outputs are distrabuted only to
authorized personnel.
controls, the auditor may either:

A person who knows what an output should look like must 1. Audit around the computer, or
review the CIS output for teasonableness. Control totals are 2 Use Computer-Assisted Audit Techniques.
compared with those computed prior to processing to ensure
completeness of information. Finally, CIS outputs must be
restricted only to authorized employees who will be using such
outputs. Auditing Around the Computer

The effectiveness of the general CIS controls is essential to the Auditing around the computer is simlar to testing control in a

effectiveness of CIS appication conttols. Thus, it may be more efficient manual control structure in that it involves examination of
to review the design of the general controls first, before reviewing the documents and reports to determine the reliability of the system.
application controls. When this approach, the auditor ignores the cient's data
using documents and
processing procedures, focusing solely on input
the
to
the CIS output. Input data are simply recoiciled with the output
around the computer is
Vetity the accuracy of processing:Auditing
recomciles with the output,
DaScd on the assumption that if the input
 the tra
To accomplish this objecve
the auditor
program
must
have processed
ransaction
about the relon
knowledge about liability transactons)
the
that consist of prepares test data
then the computer auditor obtains
Hence, the the computer pro
conditions. The audtor
enters the test
valid and invaid
data into the system and
accurately.
without
examining
directly rogram of haye the data processed the
by entity's
of the system computer program.
the system. Because the auditor is the one who
auditor knows what the output creates the test data, the
only if there
. .

be used isible
ate

around the computer

can
should look like, assuning the
Audiing that will enable the aul
auditor to clent's computer program is
input
documents and detauled output
transactions back
and forth. This is also kn known a auditor then functioning effectively.
compares the processing
The
resuts with his
not permut directassese oredetermined
individual
trace
because it does assessment output. If the output
"black box approach"
of t r a n s a c i o n s . program is the same as the auditor'generated by the ciene's
s expected output, the
of actual processing quditor may conclude that the client's
program is reliable.
Audit Techniques (CAATs)
Computer Assisted
tasks for which nno
When computerized accounting systems perform
it be impracticable for the auditn
ditor TEST DATA
visible evidence is available, may
when the entity t e
to test manually.
Such is usually the case uses
wll have to audit directly
advanced CIS. Consequently, auditor the Auditor's
This 1s also caled "white Test Data
client's computer progtam using CAATs.
box approach"

Processed
CAATs are computer programs and data which the auditor uses as using cientr's

process data of audit significance

part of the audit procedures to program
contained in an entity's information systems. Some of the commonly
used CAATs include test data, integrated test facility and paralel
simulation. Compar Auditor's
Output e
Expected
1 Test data Manualy Output

The test data technique is primarily designed to test the

of the intemal control procedures which are
ettectrveness
incorporated in the client's computer program. The objectve
of the test data technique is to determine whether the cients
computer programs can corectly handle valid and invalid
conditions as they arise.
2. Integrated test facility (TTF) INTEGRAT ED TEST FACILITY
test data technique
is that the audis
A disadvantage of the
that the program tested ss thesam Auditor's
does not have an assurance sam
the accounting period Test Data
Clhent's data
progtam used by the
cient throughout
the test data technioa
In order to overcome this disadvantag, que
can be extended to an integrated test faciity (TTP).

When using ITF, the auditor creates dummy or fictitiones

employee or other appropriate unit for testing within the
test data, which is run Processed
entity's computer system. Unlike s

using client's
independenty of the cient's data, an ITF integrates the
processing of test data with the achual processing of ordinary program
transactions without management being aware of the
testing
process. The resultant output, relating to the dummy unit, is
then compared with the predetermined results to evaluate the Compar Auditor's
reliability of the cieat's program. Output e

Manually Expected
Output
By processing test data simultaneously with client data, ITF
provides assurance that the program tested by the auditor is the
same
program used by the client in the processing of When using ITF, the auditor must be alert to the danger of
transactions.
contaminating the cient's masterfiles. Thus, care must be
taken to reverse or eliminate the effects of all
audit test
transactions in order to avoid contamination of client
computer
files
3. Parallel simulation

In contrast the test data and ITF

to
techniques, which require
the auditor to create test inputs (data) and process these data
using the client's computer program; parallel simulation
Tcquires thc auditor to write a program that simulates key
teafures or processes of the program under review. The
Sumulated program is then used to reprocess transactions that
were
previously processed by the ciene's progtam.
 om the sm gOther CAAT
The auditor compares
the results obtancd
to be able todraw
mulatan
conchuswn
Mn abour
wnth the dient's output,
the rehabitrof the dheut's program. compbcated computerzed systems
thk compicar
Highly
permanent audit trails and would sometimes do not
Dot retaio
reti
are
processed. Unde
require capturing zudit dat a
of
this scenanio, the
transactio

PARALLEL SIMULATION
o the auditor may include CAATs 2ribable

1 Snapshots

Chent'sData
Clienr's Dat This technique involves taking a picture of a transaction s it
flows through the
computer systems. Audit software rounes
are embedded at different
the
points in the procesing log to
cApture mages ot the transaction as it progresses
Processed the various stages ot through
Processed processing. Soch a techigoe dows sn
using chent's using auditor's auditor track data and evakate the
to
computer process
program program pplied to the data

Compar 2 Systems control audit review fíiles (SCARF)

Outpur Output
Manualy This involves embedding audit sofrware modules within an
appication system to provide continuous moaitoring of the
systems transactions. The information is collected into a special
computer file that the auditor can examine
Parallel simulation can be accomplished br using generalized
audit software or purpose wntten programs. Generalized
andit software consists of generaly available computer
packages which have been designed to perform common
audit tasks such as perfoming or verifing calculatons,
summarzing and totaing files, and reporting informat
a

speciied by the auditor. Pupose-vritten programs, on the

other hand, are designed to perform audit tasks in specific
circumstances. These programs may be developed by the
2uditor, the entity being avdited, or an outside programmer
hired by the auditor.