McGraw-Hill/Irwin
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.
Module H
Auditing in a Computerized
Environment
"To err is human, but to really foul things up you need a
computer.“
Paul Ehrlich, Technology commentator
Mod H-2
Impact of Computerized
Processing
•
Issues introduced in a computerized environment
1.
2.
3.
4.
5.
•
Input errors
Systematic vs. random processing errors
Lack of an audit trail
Inappropriate access to computer files and programs
Reduced human involvement in processing
transactions
Consider controls over computerized processing
in understanding, assessment, and testing phases
of evaluation of internal control
Mod H-3
Types of Computer Controls
• General Controls
– Relate to all applications of a computerized
processing system (pervasive)
– Deficiencies will affect processing of various types of
transactions
• Automated Application Controls
– Relate to specific business activities
– Directly address management assertions
Mod H-4
Categories of General
Controls
1. Hardware controls
– Data not altered or modified as transmitted
through system
2. Program development controls
– Program acquisition and development
properly authorized
– Programs tested and validated before being
placed in use
Mod H-5
Categories of General
Controls (continued)
3. Program change controls
– Program changes are properly authorized and
conducted consistent with entity policies
– Programs have appropriate documentation
4. Computer operations controls
– Relate to processing of transactions and backup
and recovery of data
– Includes separation of duties of analysts,
programmers, and operators
Mod H-6
Categories of General
Controls (continued)
5. Access to programs and data controls
– Relate to restricting use of programs and
data to authorized users
– Examples include passwords, automatic
terminal logoff, and reviewing access rights
and comparing to usage
Mod H-7
Types of Automated
Application Controls
1. Input controls
2. Processing controls
3. Output controls
Mod H-8
Input Controls
• Provide reasonable assurance that
– All transactions input
– Transactions input once and only once
– Transactions input accurately
• Examples
–
–
–
–
–
Data entry and formatting
Check digits
Record counts
Batch totals
Hash totals
Mod H-9
Processing Controls
• Provide reasonable assurance that
– Transactions are processed accurately
– All transactions are processed
– Transactions are processed once and only once
• Examples
–
–
–
–
–
–
Test processing accuracy of programs
File and operator controls
Run-to-run totals
Control total reports
Limit and reasonableness tests
Error correction and resubmission
Mod H-10
Output Controls
• Provide reasonable assurance that
– Output reflects accurate processing
– Only authorized persons receive output or have
access to files generated from processing
• Examples
–
–
–
–
Review of output for reasonableness
Control total reports
Master file changes
Output distribution limited to appropriate
person(s)
Mod H-11
Auditing in a Computerized
Environment
• Auditing “around” the computer
– Reconcile input with output produced by computer
processing
– Do not evaluate directly evaluate operating
effectiveness of computer controls
– Appropriate when computer is not used extensively
and computer controls are limited
• Auditing “through” the computer
– Evaluate operating effectiveness of computer controls
and logic of computer processing
– Appropriate when computer is used extensively and
client has implemented significant computer controls
Mod H-12
Testing Computer Controls
• Testing controls
–
–
–
–
Inquiry
Observation
Inspect documentary evidence
Reperformance
• Evaluating computer processing and programs
– Test processing of actual transactions
– Test processing of simulated transactions
Mod H-13
Techniques Using Actual
Transactions
• Audit teams evaluate controls by “observing”
processing of actual transactions through
computerized system in a typical processing run
• Program-embedded techniques
– Special modules coded into computer programs
– Examples include tagging, embedded audit modules,
snapshot, monitoring systems activity, extended
records, and program analysis techniques
• Parallel simulation
Mod H-14
Techniques Using Simulated
Transactions
Auditors’
Manual
Processing
Compare
Client
System
Processing
• Test data: Tested in a separate processing
run by client
• Integrated test facility: Simulated data
processed along with actual data
Mod H-15
Benchmarking
• Audit team tests operating effectiveness of
automated application controls to establish
baseline
• Can continue to rely on automated application
controls if:
– Test general controls related to program changes,
access to programs and data, and computer
operations
– General controls continue to operate effectively
– Automated application controls have not changed
since the baseline
Mod H-16