Auditing in a computerized

environment
Outline
 Effect of IT on internal controls
 Manual vs. automated controls
 General and application controls
 IT benefits and risks
 Manual vs. computerized environments
 Effect of IT on evidence gathering
• IT encompasses automated means of originating, processing,
storing and communicating information.
• Affects how transactions are initiated, recorded, processed and
reported.
• Client’s use of IT affects both the auditor’s evaluation of internal
controls and the procedures to gather evidence.
• Audit objectives are the same in a computerized environment as
they are in a manual environment.
Effect of IT on Internal Controls
Effect on internal controls
1. Management’s failure to appropriately address IT risks may negatively impact the control
environment.
2. The use of IT may enhance an entity’s risk assessment by providing more timely
information.
3. Many information and communication systems make extensive use of IT, and the way in
which IT is used often affects an entity’s internal control.
4. Much of the information used in monitoring is provided by IT, and therefore, the accuracy
of the IT system is crucial.
5. The use of IT may affect the way in which existing control activities are implemented.
Also, the effectiveness of use controls may depend upon the accuracy of information
provided to the user by IT systems.
o If evidence is not retrievable, it is difficult to determine the timing of control
testing and substantive testing.
o IT system may make it impossible to resolve the detection risk through
substantive testing alone.
PSA 315:
The auditor shall determine whether substantive procedures alone cannot provide
sufficient appropriate audit evidence for any of the risks of material misstatement at the
assertion level. 
Due to the nature of the risk, the only way to obtain sufficient appropriate evidence is to test
the operating effectiveness of controls.
This applies to routine business transactions subject to highly automated processing with
little or no manual intervention, such as in circumstances where a significant amount of an
entity’s information is initiated, recorded, processed, or reported only in electronic form such
as in an information system that involves a high degree of integration across its IT applications.
In such cases:
• Audit evidence may be available only in electronic form, and its sufficiency and
appropriateness usually depend on the effectiveness of controls over its accuracy and
completeness.
• The potential for improper initiation or alteration of information to occur and not be detected
may be greater if appropriate controls are not operating effectively.
• Example:
Revenue for a telecommunications entity.
Evidence of call or data activity does not exist in a form that is observable.
Instead, substantial controls testing is typically performed to determine
that the origination and completion of calls, and data activity is correctly
captured (e.g., minutes of a call or volume of a download) and recorded
correctly in the entity’s billing system.
Manual vs. Automated Controls
Manual controls
Manual controls are internal controls performed by people and are more suitable when
judgment and discretion are required, such as when there are:
• Large, unusual, or nonrecurring transactions
• Potential misstatements are difficult to define or predict
• Changes in circumstances that require changes in controls

Manual controls are also used to monitor automated controls. Manual controls, however,
may pose additional risks because they can be more easily ignored or overridden, they
are subject to human error, and they are less consistent than automated controls.
Automated controls
Automated controls are internal controls performed using IT and are more suitable for:
• High volume or recurring transactions
• Control activities that can be adequately designed and automated
General and application controls
General controls
These are policies and procedures that relate to many applications and support the
effective functioning and proper operation of the information system.

These can be categorized as:

a. Controls over data center and network operations
b. System software acquisition, change and maintenance controls
c. Access security controls
d. Application system acquisition, development, and maintenance controls

Example of general controls include passwords, change management procedures,

back/recovery systems, and administrative rights to the network.
Application controls
These apply to the processing of individual transactions and help to ensure that
transactions occurred, are authorized, and are completely and accurately processed and
reported.

Application controls are controls over input, processing, and output, including:
a. Administrative access rights
b. Controls over interfaces, integrations, and e-commerce
c. Checking the mathematical accuracy of records
d. Maintaining and reviewing accounts and trial balances
e. Automated edit checks of input data
f. Manual follow-ups of exception reports
Input controls
These are controls designed to ensure that input is authorized, complete, accurate and
timely. Dependent on the complexity of the application program in question, such controls
will vary in terms of quantity and sophistication.

Specific input validation checks may include:

a. Format checks
b. Range checks
c. Compatibility checks
d. Validity checks
e. Exception checks
f. Sequence checks
g. Control totals
h. Check digit verification
Input controls
Format checks
• These ensure that information is input in the correct form. For example, the requirement that the
date of a sales invoice be input in numeric format only – not numeric and alphanumeric.

Range checks
• These ensure that information input is reasonable in line with expectations. For example, where an
entity rarely, if ever, makes bulk-buy purchases with a value in excess of $50,000, a purchase
invoice with an input value in excess of $50,000 is rejected for review and follow-up.

Compatibility checks
• These ensure that data input from two or more fields is compatible. For example, a sales invoice
value should be compatible with the amount of sales tax (assuming sales tax is based on invoice
amount) charged on the invoice.
Input controls
Validity checks
• These ensure that the data input is valid.
• For example, where an entity operates a job costing system – costs input to a previously completed
job should be rejected as invalid.

Exception checks
• These ensure that an exception report is produced highlighting unusual situations that have arisen
following the input of a specific item.
• For example, the carry forward of a negative value for inventory held.

Sequence checks
• These facilitate completeness of processing by ensuring that documents processed out of
sequence are rejected.
• For example, where pre-numbered goods received notes are issued to acknowledge the receipt of
goods into physical inventory, any input of notes out of sequence should be rejected.
Input controls
Control totals
• These also facilitate completeness of processing by ensuring that pre-input, manually
operated control totals are compared to control totals input.
• For example, non-matching totals of a ‘batch’ of purchase invoices should result in an on-
screen user prompt, or the production of an exception report for follow-up. The use of
control totals in this way are also commonly referred to as output controls.

Check digit verification

• This process uses algorithms to ensure that data input is accurate. For example, internally
generated valid supplier numerical reference codes should be formatted in such a way that
any purchase invoices input with an incorrect code will be automatically rejected.
Processing controls
• These exist to ensure that all data input is processed correctly and that data files are appropriately updated
accurately in a timely manner. The processing controls for a specified application program should be designed
and then tested prior to ‘live’ running with real data.
• These may typically include the use of run-to-run controls, which ensure that the integrity of cumulative totals
contained in the accounting records is maintained from one data processing run to the next. For example, the
balance carried forward on the bank account in a company’s general (nominal) ledger.

• Other processing controls should include the subsequent processing of data rejected at the point of input, for
example:
 A computer produced print-out of rejected items
 Formal written instructions notifying data processing personnel of the procedures to follow with regard
rejected items
 Appropriate investigation/follow-up of rejected items
 Evidence that rejected errors have been corrected and re-input
Output controls
• These exist to ensure that all data is processed and that output is distributed only to prescribed
authorized users.
• While the degree of output controls will vary from one organization to another (dependent on the
confidentiality of the information and size of the organization), common controls comprise:

 Use of batch control totals, as described previously (see ‘input controls’)

 Appropriate review and follow up of exception report information to ensure that there are no
permanently outstanding exception items.
 Careful scheduling of the processing of data to help facilitate the distribution of information to end
users on a timely basis.
 Formal written instructions notifying data processing personnel of prescribed distribution
procedures.
 Ongoing monitoring by a responsible official, of the distribution of output, to ensure it is distributed
in accordance with authorized policy.
IT Benefits and Risks
IT Benefits
• Entities use to improve the efficiency and effectiveness of its internal control. The auditor
should consider the effect of such benefits as part of assessing internal control. Benefits
may include:

1. The ability to process large volumes of transactions and data accurately and
consistently
2. Improved timeliness and availability of information
3. Facilitation of data analysis
4. Reduction in the risk that controls will be circumvented
5. Enhanced segregation of duties through effective implementation of security
controls
6. Enhanced ability to monitor the performance of the entity’s activities and its policies
and procedures
IT Risks
• The use of IT may also create additional internal control risks. The auditor must evaluate
the entity’s use of IT to determine whether and to what extent the following risks exist:

1. Potential reliance on inaccurate systems

2. Unauthorized access to data, which may result in loss of data and/or data
inaccuracies
3. Unauthorized changes to data, systems, or programs
4. Failure to make required changes or updates to systems or programs
5. Inappropriate manual intervention
6. Potential loss of data

• garbage in – garbage out

Differences between
manual and computerized
environments
Segregation of duties
 In a computerized environment, transaction processing often results in a combination of
functions that are normally separated in a manual environment.

 The additional risk associated with this (possibly incompatible) concentration of functions
may be mitigated by the implementation of compensating controls.

 The following should be segregated:

o Control group
o Operators
o Programmers
o System analyst
o librarian
Disappearing audit trails
 Paper audit trails are substantially reduced in a computerized environment (particularly in
online, real-time systems). If a client processes most of its financial data in electronic form,
without any paper documentation, audit tests should be performed on a continuous
basis.

 Computer systems should be designed to supply electronic audit trails, which are often
as effective as paper trails.

 Use of IT may make it more difficult to use physical inspection to identify nonstandard or
unusual transactions or adjustments.
Uniform transaction processing
 Processing consistency is improved in a computerized environment because clerical errors
(e.g. random arithmetic errors, missed postings, etc.) are virtually eliminated.

 In a computerized environment, however, there is an increased potential for systematic

errors, such as errors in programming logic (e.g. using incorrect withholding tax rates).
Such errors may possibly affect the financial statements more pervasively than random
clerical errors.
Computer-initiated transactions
 Automated transactions are not subject to the same types of authorization as are used for
manual transactions and may not be as well-documented.

 When information is automatically transferred from transaction processing systems (for

example, Sales and Billing) to financial reporting systems (e.g. general ledger and trial
balance), inadvertent errors are reduced, but unauthorized interventions may not be
evident.
Potential for increased errors and irregularities
• Several characteristics of computerized processing act to increase the likelihood that fraud may occur and
may remain undetected for long periods of time:

1. The opportunity for remote access to data in networked environments increases the likelihood of
unauthorized access. Therefore, specific controls should exist to ensure that users can only access
and update authorized data elements.

2. Concentration of information in computerized systems means that, if system security is breached, the
potential for damage is greater than in manual systems.

3. Decreased human involvement in transaction processing results in decreased opportunities for

observation.

4. Errors or fraud may occur in the design or maintenance of application programs.

5. Computer disruptions may cause errors or delays in recording transactions.

Potential for increased supervision and review
 Computer systems provide more opportunities for data analysis and review, including
integration of audit procedures in the application programs themselves.

 Utilization of these opportunities can help mitigate the additional risks associated with a
lack of segregation of duties.

 In a computerized environment, the increased availability of raw data and management

reports affords greater opportunity for both the client and the auditor to perform analytical
procedures.
Dependence on IT General Controls Over
Computer Processing
• Controls for specific applications are only as effective as the general controls in place in
the information technology department, which processes the transactions and produces
the reports.
Effect of IT on evidence gathering
An auditor can use manual audit procedures (called “auditing around the computer”),
computer assisted audit techniques (called “auditing through the computer”) or a
combination of both.

In either event, because the reliability of automated system is highly dependent on the
adequacy of control design and execution, it is critical that the auditor gain a thorough
understanding of the structure and usage of the control system through inquiry and
observation.
Factors to consider
In selecting the appropriate audit procedures in a computerized environment, the auditor
should consider:

1. The extent of computer utilization in each accounting application,

2. The complexity of the entity’s computer operations,
3. The organizational structure of the information technology department,
4. The availability of an audit trail, and
5. The use of computer-assisted audit techniques.

Note: When substantive testing alone may not suffice – test of controls should be performed
to assess control risk (in highly computerized system)
Use of an IT professional
Because some systems depend so heavily on computerized processing, it may be difficult or
impossible for the auditor to access certain information without assistance. If specialized IT
skills are needed, the auditor should seek the help of an IT professional from his/her staff or
from outside.

1. The auditor should have enough IT-related knowledge to:

a. Communicate the audit objectives to the IT professional,
b. Evaluate the sufficiency of the procedures performed, and
c. Evaluate the results of the procedures performed.

2. The auditor need not personally possess the required level of IT skills.
Auditing around the computer
 When auditing around the computer, the auditor does not directly test the application
program. The auditor tests the input data, processes the data independently, and
then compares the independently determined results to the program results.
Emphasis is on the input and output stages of transaction processing.

 Auditing around the computer is often appropriate for simple batch systems with a good
audit trail, and will result in the same level of confidence as would auditing through the
computer.

 Risks of auditing around the computer include insufficient, paper-based evidence and
insufficient audit procedures.
Computer Assisted Audit Techniques (CAATs)
[auditing through the computer]
When using CAATs, emphasis is on the input and processing stages of transaction
processing. In highly automated systems, complex audit trails and the elimination of physical
source documents may mean that CAATs are the only feasible way to complete the audit in a
timely manner.
Computer Assisted Audit Techniques (CAATs)
[auditing through the computer]
1. Transaction tagging
• This is a technique the auditor uses to electronically mark (or “tag”) specific
transactions and follow them through the client’s system.
• Tagging allows the auditor to test both the computerized processing and the manual
handling of transactions.

2. Embedded audit modules

• These are sections of the application program code that collect transaction data for the
auditor.
• For example, an auditor might want to examine all transactions affecting a specific
account code that are greater than $500.
• Embedded audit modules are most often built into the application program when the
program is developed, for use in ensuring that controls are operating effectively.
Computer Assisted Audit Techniques (CAATs)
[auditing through the computer]
3. Test data (test deck)

• This refers to a technique that uses the application program to process a set of test data, the
results of which are already known. (The client’s system is used to process the auditor’s
data, off-line, while still under the auditor’s control.)

a. The test data contains the type of invalid conditions in which the auditor is interested (it is
not necessary to test all combinations of invalid conditions).

Examples of invalid conditions: invalid employee numbers, excess pay rate, excess hours

b. An advantage of the test data technique is that the live computer files are not affected in
any way.
Computer Assisted Audit Techniques (CAATs)
[auditing through the computer]
4. Integrated Test Facility (ITF)

• An ITF is similar to the test data approach except that the test data is commingled with
live data. (The client’s system is used to process the auditor’s data, on-line.)

a. The test data must be separated from the live data before the reports are created.
This is usually accomplished by processing the test data to dummy accounts (e.g. a
fictitious customer, branch, vendor, etc.)

b. Client personnel are not informed that the test is being run.
Computer Assisted Audit Techniques (CAATs)
[auditing through the computer]
5. Parallel simulation (reperformance test)

• This is a technique where the auditor re-processes some or all of the client’s live data (using software provided by the
auditor) and then compares the results with the client’s files. (The auditor’s system is used to process the client’s data.)

a. With controlled processing, the auditor observes an actual processing run and compares the actual results to the
expected results (based on the auditor’s program).
• (i.e. client’s data is run using the client’s actual processing run and using the auditor’s program)

b. With controlled re-processing, the auditor uses an archived copy of the program in question (generally the auditor’s
control copy) to reprocess transactions. The results are then compared to the results from the normal processing run.
(Differences indicate that there have may been changes to the program.)
• (i.e. client’s data is run using client’s normal processing run and using an archived copy of the client’s program)
• Source code comparison programs are programs that compare two versions of software to determine if they
match. This type of software can be used to look for unauthorized program changes.

c. Programs to accomplish parallel processing can be specifically developed for the application, bought as a packaged
program or utility, or produced by a generalized audit software package.
Auditing with a computer
An auditor may achieve audit efficiency by utilizing a computer during the audit. For example, financial
statements (and related trial balances and lead schedules) may be entered into a spreadsheet (or possibly a
database) program. Achieving efficiency requires the selection of both appropriate audit tasks and appropriate
software for the selected tasks.

Advantages of using a computer

Automatic performance of math on all documents, which reduces errors.
1. Automatic cross-referencing of amounts by linking each lead schedule to the working trial balance and to
the financial statements. (This saves considerable time in posting adjusting journal entries.)
2. Automatic preparation of financial statements, tax return schedules, and consolidating schedules (all of
which save time previously spent typing them, and which makes late changes easier to implement).
3. Reduction in required supervisory review time.
a. Computer printouts are more legible than most handwriting.
b. Once the reliability of the software has been confirmed, less time is required to review and prove such
things as footings, postings, ratio calculations, and cross references.