TOPIC 5: AUDITING IN AN IT ENVIRONMENT

Risks and challenges in auditing an IT environment

1. Absence of input documents - Electronic data processing (EDP) can refer to the use of automated
methods to process commercial data. Typically, this uses relatively simple, repetitive activities to process
large volumes of similar information. For example: stock updates applied to an inventory, banking
transactions applied to account and customer master files, booking and ticketing transactions to an airline's
reservation system, billing for utility services.

An electronic data processing audit is an evaluation of the accuracy and proper function of an
organization's data processing. Data may be entered directly into the EDP system without supporting
documents. In some line transaction systems, written evidence of data entry authorisation (for example,
approval of order entry) may be replaced by the procedures, such as authorisation controls contained in
computer programmes (e.g. credit approval).

2. Lack of visible audit trail - Certain data may be maintained on computer files only, in a manual
environment, it is normally possible to follow a transaction through the system by examining source
documents, books of account and report. In an EDP environment however, the transaction trial may be
party in machine-readable form, or it may exist only for a limited period of time. The audit trail is lost
because:

 hard copy evidence may not be produced by the computer system;

 historical data may not be retained on computer disks because of administration difficulties of several
generations of data;
 data on disks may be corrupted;
 historical data is lost when electronic information is over written;
 if several users share the same data, it is hard to track people making changes; and
 sequential numbering in computer systems is inexistent yet it forms a good audit trail.

3. Lack of visible output - Certain transactions or results of processing may not be printed. In manual
environments and in some EDP environments, it is normally possible to visually examine the results of
processing. In the EDP environments, the results of the processing may not be printed, or only summary
data may be printed. Thus, the lack of visible output may result in the need to access data retained on
computer files readable only by the computer e.g. stored on diskettes.

4. Accessibility of data and computer programmes - Data and computer programmes can be accessed
and altered by persons using online terminals. Therefore, in the absence of appropriate controls, there is an
increased potential for unauthorised access to and alteration of data and computer programs by persons
inside or outside the entity.

Note: The above limitations indicate that despite the advantages of computerized accounting systems to an
organisation, certain characteristics inherent in these systems represent problems or risks that can only be
addressed by developing and implementing special control mechanisms in the organization’s internal
control systems.

1 

 
Application controls and general IT controls

General IT controls

These are controls over the environment in which computer based accounting systems are developed,
maintained and operated. These may be in form of documented policies and procedures to support the
application controls. The purpose is to ensure the integrity of data, programme files and of the operations.

Basic General IT controls include:

 Hard ware controls and security;

 Controls within the data centre and network operations. These should include controls to alert
management whenever there is an attempt to access that data centre or information from unauthorised
people; and
 Controls within program change.

These will ensure integrity of information and security of data within the computerised systems.

Other general controls include the following:

 Segregation of duties in a computerised environment, the following functions must be carried out by
separate persons/departments/sections. Development of the system, data preparation, data entry, file
library maintenance, control, etc.
 Controls over operators should have designated areas of access in the system. Use can be made of
passwords.
 No unauthorised change should be made to accounting programmers that process data by issuing
passwords and maintaining a record of all changes affected on the system. Also, a physical control can
be instituted, for example, preventing people from having access to computer terminals.
 Hardware controls and security. There should be protective measures to ensure the safety of the
equipment and data.
 Controls to ensure continuity. File backup systems on site and off site, data recovery procedures,
insurance cover, Business Continuity Planning (BCP) and Data Recovery Programme (DRP).
 Administrative controls like user manuals and change management sessions to users of computerised
systems. Password policies and computer usage procedures should be in place.

Application controls

These consist of controls over completeness, accuracy and authorisation of input/processing and
maintenance of master files. Application controls are either manual or automated procedures and operate
at a business process level and apply to the processing of transactions by individual applications within a
computerised environment.

Application controls relate to procedures used to initiate, record, process and report transactions or other
financial data. These controls help ensure that transactions occurred, are authorised and are completely
and accurately recorded and processed.

2 

 
Application controls may be preventative or detective in nature and further categorised into input,
processing, output control and master files and standing data controls.

Input controls

These are meant to ensure that the integrity of data entered into the system is maintained, that is, they
ensure that transactions are properly authorised accurately recorded and that they are complete. Such
controls include:

 batch totals;
 sequential numbering of documents;
 control totals;
 manual scrutiny of documents;
 data validation checks (software checks the data according to set criteria). Examples could include
reasonableness check. For example, PAYE deduction on one’s salary should not be above 45% of
gross pay; and
 character checks. We don’t expect alphabetical numbers in one’s gross salary or amounts payable.

These controls ensure that data being input to the system is accurate and correct and has been authorised.
Many systems are programmed to give an error message when something not in agreement with the set
criteria is being input.

Processing controls

And output controls (accuracy and validity controls); these are designed to ensure that the right computer
processes have been applied on the data entered into the computer. They are exercised within computer.

An example of a programmed control over processing is a run-to-run control. The totals from one
processing run, plus the input totals from the second processing, should equal the result from the second
processing run. For instance, the beginning balances on the receivables ledger plus the sales invoices
(processing run 1) less the cheques received (processing run 2) should equal the closing balances on the
receivables ledger.

Output controls

Output controls are designed so that the results ultimately reported as a consequence of the inputting and
processing of data are valid, accurate and complete. Types of such controls include:
 testing and evaluation controls;
 review of exception reports exceptional reports;
 backup facilities to ensure data is properly stored after being input and processe:
 sequential numbering;
 control totals;
 segregation of duties; and
 logic controls, for example, checks on computations and formula.
3 

 
Master files and standing data controls

These controls are to ensure that master data files are under control and no unauthorized changes occur.
Examples could include checks on the master payroll data including pay rates for staff. These may be sent
to human resources monthly just to ensure that employees on the master payroll have human employee
numbers. There should be a review of all changes made to the master files and these should only be made
by an authorized person.

Use of Computer Assisted Audit Techniques (CAATS)

CAAT’s are computer programs and data that the auditor uses as part of the audit procedures to process
data of audit significance contained in a client computer information system (CIS).

This is used to test both system (general) and application controls. They are used as part of audit
procedures to process data that will enable the auditor audit evidence that will enable the auditor form an
opinion on the financial statements of the client. Auditors will use CAATS conduct a number of tests but the
results have to be interpreted by the auditor to make a conclusion based on the objective of the test.
CAATS may be used to select samples, make computations and analysis for interpretation of the auditor
within a very short time.

The audit software may include any of the following packages that will depend on the firm requirement and
affordability:

 Generalized audit software. These are tailor made for the auditor based on the auditor’s requirement
and can be used on different accounting software for different clients. The software will only allow the
auditor access the data for the client but no changes to the data can be made.
 Purpose written programs. These are specially written programs where it is not possible to adapt a
package program because of the type of machine, processing or file organisation used.
 Utility programs used by the client. Used by the entity to perform data processing functions such as
sorting and printing of files.
 Enquiry programs. These are part of the client’s system, often used to sort and print data, and which
can be adapted for audit purposes, for example, accounting software may have search facilities on
some modules, that could be used for audit purposes to search for all customers with credit balances
(on the customers’ module) or all inventory items exceeding a specified value (on the inventory
module).

Features of goods audit software include the:

 ability to reformat the master file to allow the auditor to interrogate the file with his own requirements;
 computational checks like on interest, discounts, etc;
 verification capabilities on file controls;
 extraction of random samples as required by the auditor; and
 ability to printout the required data by the auditor suiting his own formats, for examples, dates, person
inputting the data, etc.

4 

 
Advantages of using CAATs

 CAATs are the only effective way of testing complex system especially where large volumes of
transactions take place.
 The use of CAATs enables the auditor to test a much larger population quickly and accurately, and
therefore increases the confidence the auditor has in his opinion.
 CAATs enable the auditor to test the accounting system and its records (i.e., the tapes and disk files)
rather than relying on testing printouts of what they believe to be a copy of those records, that is, allows
testing of live/actual systems.

Once set up, CAATs are likely to be a cost-effective way of obtaining audit evidence if the enterprise does
not regularly change its systems.

Difficulties in using audit software

 Costs. In ascertaining the relevant controls and constructing the data from scratch. It may be very
difficult to identify all relevant conditions.
 Dangers of live testing. This requires careful planning otherwise data may be corrupted.
 Dangers of testing during a special run. This creates an artificial testing environment. Assurance is
needed that normal programs and files have been used.
 Recording. The use of test data does not necessarily provide visible evidence of audit work performed.
Working papers should therefore include details of the controls to be tested, an explanation of how they
are to be tested, details of the transactions and files used, details of the predicted results the actual
results and evidence of the predicted and actual results having been compared.

Key aspects of computer auditing

This can take several steps:

 The understanding of the general controls about the computer system.

 The recording/documentation of the controls.
 Risk assessment of the computer controls.
 Decide on what tests will be performed.
 Make the tests and evaluate the results.
 Report/form an opinion on the audit.

A computer based system will affect the timing and recording of audit work. The absence of input
documents or audit trail or output will necessitate the issue of spec audit tools known as CAATs (computer
assisted audit techniques) broadly there are two approaches to be considered:

i) Audit around the computer.

ii) Audit through the computer.

These two approaches have been explained below;

5 

 
i) Audit around the computer

This involves substantive testing of computer input and its reconciliation to output. The approach saves
time and cost in the short run especially when coupled with analytical review. It involves input of data,
manual processing and output data.

ii) Audit through the computer

This normally involves the use of audit software and test data. This is usually preferable although the
auditor does require a higher knowledge of EDP. The auditor is required to make detailed contact with the
computer hardware and software. Auditing through the computer will require the auditor to make use of
computer assisted audit techniques (CAATs). Example of Audit software is the Integrated Data Extraction
Analysis (IDEA).

iii) Computer controls

The main objectives of a strong internal control system be it manual or computer based environment are:

 to ensure the proper and accurate recording of all transactions; and

 to prevent mismanagement, error, fraud and general abuse.

Recall that in an environment without computers, major components of an internal control system have
included such things as:

 separation of duties;
 delegation of authority and responsibility in a clear and unambiguous manner;
 recruitment and training of skilled personnel;
 a system of authorisations;
 adequate documentations to provide the audit trail;
 physical controls over assets and records; and
 management supervision and independent checks on performance.

The challenge is to try and incorporate the above controls in a computer environment i.e. an Electronic
Data Processing (EDP) system. This affects the implementation of these components in several ways and
may involve changing a number of processes.

iv) Systems Development Controls (SOCs)

These are controls over the entire process for the computer system, from the initial idea proposal, through
designing, testing and implementation to acceptance of a fully operational system.
In many respects system development controls are the most important, if they are inadequate the whole
project is at risk. Any system errors may remain undetected for some time and cause countless problems,
Standards must be prescribed for the design development testing and implementation of systems,
programmes and amendments.

6 

 
Step 1: Proper consultation

There must be proper consultation with the following groups before computer systems are developed:

 Management.
 User departments.
 Operators of the system.
 Auditors. Internal and external.

Step 2: Clear documentation

There is need to have clear documentation and record of the system so developed. A detailed description
of the computer programme must be compiled. This could take the form of:

 flow chats of clerical and computer procedures;

 specifications for types and forms of input;
 processing details and dealing with errors;
 form of output and its distribution; and
 operational controls and maintenance of the audit trail.

Step 3: Testing

The system so developed must be fully tested to ensure that all programmers have been prepared correctly
before operating it on live data. Systems testing will take the following form:

 Test packs: using dummy data on the new system.

 Pilot running and running the new system with live data for limited period of time.
 Parallel running: running the new and old system concurrently, until it is proven that the new system
can operate satisfactorily.

Step 4: Acceptance

Users, operators and management must accept the system developed.

7