McGraw-Hill/Irwin

Copyright 2013 by The McGraw-Hill Companies, Inc. All rights reserved.

Module H
Auditing in a Computerized Environment
"To err is human, but to really foul things up you need a computer. Paul Ehrlich, Technology commentator

Mod H-2

Impact of Computerized Processing

Issues introduced in a computerized environment
1. 2. 3. 4. 5. Input errors Systematic vs. random processing errors Lack of an audit trail Inappropriate access to computer files and programs Reduced human involvement in processing transactions

Consider controls over computerized processing in understanding, assessment, and testing phases of evaluation of internal control

Mod H-3

Types of Computer Controls

General Controls
Relate to all applications of a computerized
processing system (pervasive)

Deficiencies will affect processing of various types of

transactions

Automated Application Controls

Relate to specific business activities Directly address management assertions

Mod H-4

Categories of General Controls

1. Hardware controls
Data not altered or modified as transmitted through system

2. Program development controls

Program acquisition and development properly authorized

Programs tested and validated before being placed in use

Mod H-5

Categories of General Controls (continued)

3. Program change controls
Program changes are properly authorized and conducted consistent with entity policies Programs have appropriate documentation

4. Computer operations controls

Relate to processing of transactions and backup and recovery of data Includes separation of duties of analysts, programmers, and operators

Mod H-6

Categories of General Controls (continued)

5. Access to programs and data controls
Relate to restricting use of programs and data to authorized users

Examples include passwords, automatic terminal logoff, and reviewing access rights and comparing to usage

Mod H-7

Types of Automated Application Controls

1. Input controls 2. Processing controls 3. Output controls

Mod H-8

Input Controls
Provide reasonable assurance that
All transactions input Transactions input once and only once Transactions input accurately

Examples
Data entry and formatting Check digits Record counts Batch totals Hash totals
Mod H-9

Processing Controls
Provide reasonable assurance that
Transactions are processed accurately All transactions are processed Transactions are processed once and only once

Examples
Test processing accuracy of programs File and operator controls Run-to-run totals Control total reports Limit and reasonableness tests Error correction and resubmission

Mod H-10

Output Controls
Provide reasonable assurance that
Output reflects accurate processing Only authorized persons receive output or have access to files generated from processing

Examples
Review of output for reasonableness Control total reports Master file changes Output distribution limited to appropriate person(s)
Mod H-11

Auditing in a Computerized Environment

Auditing around the computer Reconcile input with output produced by computer processing Do not evaluate directly evaluate operating effectiveness of computer controls Appropriate when computer is not used extensively and computer controls are limited Auditing through the computer Evaluate operating effectiveness of computer controls and logic of computer processing Appropriate when computer is used extensively and client has implemented significant computer controls
Mod H-12

Testing Computer Controls

Testing controls
Inquiry Observation Inspect documentary evidence Reperformance

Evaluating computer processing and programs

Test processing of actual transactions Test processing of simulated transactions

Mod H-13

Techniques Using Actual Transactions

Audit teams evaluate controls by observing processing of actual transactions through computerized system in a typical processing run
Program-embedded techniques
Special modules coded into computer programs Examples include tagging, embedded audit modules, snapshot, monitoring systems activity, extended records, and program analysis techniques

Parallel simulation
Mod H-14

Techniques Using Simulated Transactions

Auditors Manual Processing Compare Client System Processing

Test data: Tested in a separate processing run by client Integrated test facility: Simulated data processed along with actual data
Mod H-15

Benchmarking
Audit team tests operating effectiveness of automated application controls to establish baseline Can continue to rely on automated application controls if:
Test general controls related to program changes, access to programs and data, and computer operations General controls continue to operate effectively Automated application controls have not changed since the baseline
Mod H-16