How do auditors use computers in performing audit?
CHAPTER 13 Show COMPUTER ASSISTED AUDIT TECHNIQUES (CAATS) Topic list
Learning outcomes By the end of this chapter, you should be able to:
Introduction Most audit clients would be using computers to process accounting transactions, and for financial reports production. In this chapter we look at how the client’s computerized systems impacts their operations. These computerized systems present unique controls as compared to manual accounting system; hence we later look at controls in a computerized accounting environment. When a client uses computers to process accounting transactions it is an opportunity for auditors to know how these computers can be used in the audit of a set of historical financial statements. Advancement in technology has enabled the development of computer assisted audit techniques (CAATs), which auditors are using now for example in testing controls e to audit are also covered in this chapter. Concepts like ‘auditing in the computer’ and ‘auditing around the computer’ are highlighted while advantages and disadvantages of CAATs are provided. 1 Effects of computerization of the client entity’s systems and processes;
Features of computerised accounting systemsA computerised accounting system has unique features as compared to manual accounting system.
2 Effect of computers on the work of auditorThe client may use a computer to produce all or part of the financial accounting data. The auditor may be able to use a computer to assist in his audit, particularly, when the client has a computer system. When the auditors note that the client system on which they are to audit are computerized the auditors should:
2.1 Uses of computers in managing an audit engagementComputers affect the work of the auditor in two ways. The client may use a computer to produce all or part of the financial accounting data. Secondly the auditor may be able to use a computer to assist in his audit, particularly, when the client has a computer system. Auditors can use computers in the following ways (a) Flowcharting client’s systems.
Auditors should also properly plan and determine the best or suitable approach to their computerized clients by considering ‘auditing around the computer’ and ‘auditing through the computer’. 2.1.1 Audit around the Computer This audit approach assumes that auditors could fulfill their function without having any detailed knowledge of what is happening inside computers. Audit tests concentrate on inputs and their corresponding outputs, ignoring the processing procedures within computer programs. This can be a suitable approach where there is less risk of misstatements or where auditors have limited knowledge of programs and are satisfied that they can still obtain sufficient and reliable evidence from these sources only. 2.1.2 Audit through the Computer This involves an examination of the detailed processing routines of the computers to determine whether they are adequate and reliable in processing of date. Typically, auditors use computer assisted audit techniques (CAATs), discussed below, to achieve this task.
There are two classifications general controls and application controls. 3.1 General controls These controls cover the general environment within which application controls operate. Such controls can be expected to be relevant to all applications. The objective of such controls is to ensure the integrity of application development and implementation and to ensure that computer operations are properly administered to protect hardware, programs and data files. 208 The Auditing Guideline envisages controls in the following areas and the control objectives for each area: (a) Controls over systems development (application development) To ensure developments are fully authorised. To ensure proper standards are followed during development. To ensure changes are properly tested and documented.
To ensure changes are made accurately. (d) Controls to ensure continuity of operations
3.1.1 Control techniques for general controls
Prior authorisation
Password protection
Back up files procedures Record of amendments Protecting against fire for subsequent checking and theft Physical protection of files Maintenance agreements
Several Copies Application controls They cover the transaction and master files which are specific to an individual application. they consist of both manually – performed and computer-performed controls. Their objective is to ensure the completeness and accuracy of all processing and the validity of the accounting entries made. They fall under the following six main headings and the control objectives for each are: (1) Completeness of input
(2) Accuracy of input To identify the accuracy of data fields on input transactions. (3) Authorisation of input
(4) Controls over processing (updating)
(5) Control over output
(6) Controls over master files
The control techniques for application controls under six headings are shown below. 3.2.1 Control techniques for application controls It should be noted that techniques which control the accuracy of input and processing will help to control master file data. As master file standing data items are used many times over in processing they take on a greater importance than transaction data and more costly controls such as one-for-one checks may be justified. 3.3 Some controls explained
Designed to limit accesses to computer room, for example.
The creation and updating of an identical back-up disk for every disk in the system.
The need for a filing system, each disk should be labelled clearly following a certain pattern.
This is manual checking to control data on disk. It is normally carried out after data has been keyed onto the disk for the first time. Mistakes identified during proofing should be corrected and corrections proofed.
When a disk contains information that should not be widely available (eg; data concerning salaries) it is possible to hide it, using a password.
Most computers have their own internal controls and calendars and will automatically fill in a program’s requests concerning time and date.
Controls designed to ask the user if he/she is sure that the deletion command was intentional for example.
A means of control in that they ascertain whether or not a number is valid. The computer will detect if the number is ever input incorrectly eg; through transposition. (i) Batch totals A batch (or control) total is the sum of one of the numerical fields on the documents in the batch eg; total of the sales invoice values. The computer calculates the batch total and this is compared with the manually calculated total.
Works in a similar manner as batch total. Unlike the batch total the value of the hash total is meaningless but it is still useful for control purposes to detect errors on input or omissions (eg; a total of customer account numbers).
The program will check to ensure that the data input is reasonable given the type of input it is eg; hours recorded for a week should fall between 30 and 50.
The computers will check to ensure that the data input is valid by checking that the entity already exists in the system.
Data input fields can be compared with other fields for reasonableness eg; check that tax is a sensible amount as compared with the net amount. 3.4 The relationship between application and general controls It may be appropriate for the auditor to concentrate upon application controls before deciding how far to proceed with examining general controls. The reasons for this are as follows:
There are, however, certain reasons for still considering general controls may be highly relevant to the auditor:
Auditing guideline sets out these basic rules relating to audit testing of controls:
computer environment are poor, then the programmed application controls within it will be worthless. 4 Use of Computer Assisted Audit Techniques (CAATs)These are audit techniques that use computer applications as the primary tool. Uses generally include sampling, statistical analyses and exception reporting. The internal audit department uses specialized software for this purpose. 4.1 Audit softwareAudit software comprises computer programs used by the auditor to examine an enterprise’s computer file. It may consist of generalized package programs, specially written programs or the client’s own programs. 4.1.1 Generalised package programsThese are programs already written either by the auditor or a specialist software company which are designed to be used on different types of machines. They need to be tailored to each specific case by defining the format of the files to be interrogated and by specifying the parameters of output data required and the form of that output. In some cases supplementary program coding is required. 4.1.2 Specially written programsIn some cases it is not possible to adapt program due to the type of machine, processing or file organisation used. In such cases a purpose-written program is required. It could be written by the auditor himself, by a software specialist or by the client acting on the instructions of the auditor. In all cases it should be fully tested before being used ‘live’. 4.1.3 The client’s own programs (‘enquiry programs’)These can often be useful to the auditor. For example, when using a terminal it is necessary to use the existing enquiry programs to refer to data held on files, or to obtain a print-out of parts of a file. In many cases, however, the client’s own programs will not provide all the facilities needed by the auditor. It is likely that the team responsible for writing the enquiry programs produced the rest of the system and there is therefore a danger that the defects apply to all such programs in the system. Uses of audit softwareAudit software may be used during many audit testing procedures. Its use is particularly appropriate during substantive testing of transactions and balances, as it may scrutinise large volumes of data and extract information leaving skilled manual resources to concentrate upon the investigation of the results. Typical uses of such programs include:
Here the program adds the value of open items on a file to ensure that they agree with control records which are maintained.
The program checks all accounts on the sales ledger to ensure that no customer has a balance above a specified credit limit.
This is a check that no customer is allowed trade discount of more than 50%, or that no sales ledger balance is more than total sales made to that customer.
This involves obtaining a statistical analysis of stock movements to identify slow-moving items.
This involves obtaining a stratified sample of sales ledger balances to be used as a basis for a debtors circularisation.
This does checking continuity of sales invoices to ensure they are all accounted for. Difficulties in using computer audit programs
There will be substantial set-up costs even in using a generalised package. This is because the client’s procedures and files need to be investigated thoroughly prior to identifying audit tests. The use of specially written programs will be even more expensive.
These can mean costly alterations to the programs or at least require the programs to be run regularly during the year to test the system at different dates.
There may be no suitable audit software package for use on mini-computer or microcomputer installations. Software documentation may be incomplete so that it is very difficult to identify all procedures. It may be impossible to justify and hence recover the cost of specially written audit software.
There may be a tendency to produce over-elaborate enquiry programs which are expensive to develop, take up considerable computer running time and extensive reviewing time. The auditor should be able to justify the costs of using the program to the benefit in audit terms of its use.
An enquiry program may produce huge quantities of output. This may be because the system is wrong or the enquiry program was badly designed. To avoid this problem some packages can be set to terminate after a given number of items have been included in the count. The auditor must distinguish between cases when he has merely misjudged the parameters and obtained too large a sample and cases where the print-out is long because lots of items are wrong. In the latter case he must follow the audit work through and consider the implications of the problems encountered.
The audit software only tests the files against which it is run. It is therefore preferable to use the software on the actual files of the client. The permission of the client is needed and the software must be carefully tested prior to its use on ‘live’ data. An alternative approach is to run the programs against copies of the data file. To be valid there must be adequate general controls to ensure that the client uses the same file. Provided this is so the use of copy files enables the auditor to be more flexible in deciding when to test and to retain the copy files for further testing. 4.2 Test data Audit test data consists of data submitted by the auditor for processing by the client’s computer-based accounting system. It may be processed during a normal production run (running test data ‘live’) or during a special run at a point in time outside the normal cycle (running the test data ‘dead’.) Test data could be held in the form of a batch of documents put through the system to test both manual and computer controls. It is more often meant to refer to data recorded on magnetic tape or disk used to test programmed controls. Its primary use is in the testing of application controls. Note that the use of test data is not confined to the external auditor. It is a method used by programmers, analysts and internal auditors as part of systems development and monitoring procedures. There may be scope for co-operation between internal and external auditor in creating such test data. Use of test data There are three major approaches:
At its simplest level the auditor could use real data that has been processed which involves the controls he wants to test. The auditor should then predetermine the results which he would expect from the processing of the data. Later checks are done to confirm that the actual processing has been carried out in the expected way and investigate any differences. This method is not usually feasible. The auditor will usually want to use a collection of normal, exceptional and even absurd data to test controls. He is unlikely to find all these conditions in a batch of data. The vast bulk of day-to-day items will contain few exceptions and no absurd data. It would take the auditor a long time to find a suitable range of data items to use.
The auditor constructs a series of dummy transaction which contain the required condition. These are processed along with normal data. Actual results are then compared with predetermined results. This method has the advantage of producing a realistic test environment. The client’s actual programs and data files are being used in the test. The dangers of this method are, however, considerable. Computer-generated documentation may have to be intercepted before it is released. There may be a need to reverse the transactions after testing to eliminate the effects of test data. This may be time-consuming and require program amendments. It may distort management information by swelling the number of cancelled orders and credit notes. It would indeed be ironic if a client’s accounting records were corrupted by the auditor’s own test data. Therefore great care is needed in planning and controlling the test.
In this method the auditor creates special data and uses it against copies of the client’s data files. The dangers associated with ‘live’ testing are therefore largely eliminated although the interaction of one file with another must still be carefully considered. It is still essential to obtain the client’s permission which reduces the independence of the test. It is also necessary to obtain assurance that the program being used in the test is identical to that used by the client for production runs and not a special program kept aside for the auditor’s use! Difficulties in using audit test data
There may be considerable costs involved in ascertaining the relevant controls and in constructing test data from scratch. It may be very difficult to identify all relevant conditions. The need to predetermine the results manually may be both time-consuming and tedious. These costs, however, are normally substantially less than for audit software.
Test data is likely to be confined to tests of control and therefore may be less valuable in audit terms than using audit software.
Careful planning and control is needed to expurgate the test data from the records. iv Dangers from testing during a special run If special test runs are used, an artificial testing environment is created. Assurance is needed that the normal programs and files have been used.
The use of test data does not necessarily provide visible evidence of the audit work performed. Working papers should therefore include details of the controls to be tested, an explanation of how they are to be tested, details of the transactions and files used, details of the predicted results, the actual results and evidence of the predicted and actual results having being compared. 4.3 Other techniques There are other more sophisticated techniques do exist and they could be tested perhaps in part of a question. Try to grasp the main principles and don’t spend too much time on this section. In many cases the techniques were first developed for internal purposes e.g. during program development. They often require considerable IT expertise to be used accurately. 4.3.1 Integrated test facilities (ITF) This is an extension of the test data technique. The system is designed at the output stage to handle audit test data without unwanted side effects. The auditor uses test data, input as part of a normal run, and applied to ‘dummy’ test records held on master files. The weakness of this is that there is a danger of test data being subject to special procedures which are not applied to normal transactions. ITF allows test data to be left in the system to see what happens eg; a dummy sale record eventually creates an overdue sales ledger balance. The auditor can use ITF to carry out regular testing of the system without using a special test run and indeed without being present during processing. ITF is used largely to test application controls. 4.3.2 Embedded audit facilities A wide variety of terms is used to describe this technique, including ‘intergrated audit monitors’, ‘resident audit software’ and ‘intergrated audit modules’. It consists of a module of a computer program written by the auditor which is incorporated into the client’s computer system either temporarily or permanently. This technique allows tests to be made at the time the data is being processed. It is ‘real time auditing’. it is useful where the audit trail is deficient so that historical audit work is difficult, or where files are constantly being updated eg; in a real time or database system. The facilities may allow results to be printed immediately or to be written onto tape or disk for later evaluation by the auditor. This technique may achieve the following objectives:
4.4 Considerations affecting use The main issues the auditor needs to consider whether to use CAATs are.
4.5 Advantages and disadvantages of Computer Assisted Audit Techniques Using CAATs can benefit the auditor in a number of ways as noted below. 4.5.1 Advantages of Computer Assisted Audit Techniques (i) In a computer-based system the large volume of transactions is likely to force the auditor to rely upon programmed controls. CAATs are likely to be the only effective way of testing programmed controls.
(v) Careful planning by the auditor should enable the results of his work using 4.5.2 Disadvantages of Computer Assisted Audit Techniques However, using CAATs has its challenges, which are listed below.
(Visited 782 times, 1 visits today) What are the 5 kinds of computer assisted audit techniques?CAATs include many types of tools and techniques, such as generalized audit software, customized queries or scripts, utility software, software tracing and mapping, and audit expert systems.
How auditing can be carried out in a computerized environment?Audit test data is used to test the existence and effectiveness of controls built into an application program used by an audit client. As such, dummy transactions are processed through the client's computerised system.
|