Thursday, January 19, 2012

AUDIT MANUAL: Auditing Under Computer Information System (CIS) Environment

Dear Readers,

You may download the *.PDF format file of the said Audit Mannual from the link given below. Once the file is downloaded type-in the password "CSINGH".

https://skydrive.live.com/redir.aspx?cid=af664bb412b1fb02&resid=AF664BB412B1FB02!1272&parid=AF664BB412B1FB02!1270&authkey=!AOz9rFxitwC1GqI

OR

 Download File

 


INTRODUCTION



Ø  Now-a-days, the corporate world is getting more and more inclined towards the use of Information technology (IT) and computer information system (CIS) in their daily operations.

Ø  This has changed the manner in which the organisations’ carry out their operations and various business processes.

Ø  This has further led to change in the nature of audit evidences generated by each financial transaction.

Ø  The method of collection and evaluation of audit evidences has also changed.

Ø  This requires auditors to possess reasonable knowledge about EDI, SDLC, CASE tools and various hardware & software used in the organisation.

SCOPE OF AUDIT IN CIS ENVIRONMENT / IMPACT OF CIS ON AUDITING

The use of CIS in various organisations has caused drastic impact on audit approaches, techniques, risk involved and internal control methods. Following factors (risks) must be given due consideration while framing an audit plan for an organisation:
1.       High speed and Automatic initiation/execution of transactions: In CIS environment, transactions are processed instantly. Once the transaction is fed into the system, it might get executed automatically without requiring for authorisation of the same. Similarly, reports (even complex one’s also) can be generated at a very high speed and can be viewed by multiple users at a time. Thus giving rise to many security issues.
2.       Uniform processing of transaction, hence low clerical error: While feeding input, processing transactions and generating outputs, computer system performs multiple checks on data at each at each point of time. Moreover, the processing of transaction is in a uniform manner. Hence the clerical errors generated are minimised. However, there is a shift of errors from human generated errors towards system generated errors.
3.       Unintentional or system generated errors: As discussed earlier, there is a shift in nature of errors from human generated to system generated. Errors occur due to lack of experienced personnel. And errors are mainly related to development, maintenance and execution of CIS.
4.       Inexperienced personnel: Now-a-days, the technological advancement is occurring at a very fast pace. It has created a deficit of expertized staff to understand the current technology, both at client end as well as auditor end.
5.       Concentration of duties: Under CIS environment, more than one kind of task/function can be performed by an individual. This leads to difficulty in segregation of duties among individual. Consequently, it gives rise to a number of security issues also.
6.       Lack of audit trail: In computerised system, the processing of a transaction takes place instantly. This leads to loss of audit trail. Thus, auditor needs to apply some alternate procedure to compensate the loss of audit trial.
<><> <><> <><> <><>

Audit Trail: It can be defined as a step-by-step record by which a transaction can be traced.

The auditor may apply one of the following methods to compensate the loss of audit trail:

         i.       Special/Exceptional Reports: The auditor may ask the client to arrange special reports and print-outs. E.g.: sales orders for the month of December & March; purchase orders that have been short-closed by the purchase department.

       ii.       Tagging and Tracing:

o   It is a method of compensating the audit trail.

o   It involves tagging the clients input data such that only relevant data is highlighted on the screen, which needs to be verified by the auditor.

o   E.g.: cash payments of more than ₨.20,000/-; debtors outstanding for more than 3 months; purchase order pending for more than 30 days from expected delivery date; etc.

      iii.       Alternative Review Procedures (ARP): It means to include a number of methods to compensate audit trial, such as:

o   Auditors’ judgement: budgeting the figures and comparing them with actual figures.

o   Ratio analysis / checking critical ratios. This implies calculating certain ratios on the basis of budgeted data or previous period’s data or data from similar industries and comparing them with the actual data of the client organisation.

o   Testing on total basis: if individual items can’t be checked in detail then auditor may take totals of reasonable chunks of data and check accordingly.

o   Clerical recreation: Auditor may manually generate certain figures that have been generated by the system (automatically).

     iv.            Use of CAAT: The auditor may take the help of white-box audit approach or CAATs.
7.       Auditor’s participation in SDLC and dependence on other (manual) controls: We know that there is a constraint of audit trail in CIS environment. Thus, a computerised information system lacks manual reasonableness. An information system of an organisation can only be effective if it has reasonable level of audit facilities integrated into it. Hence participation of auditor is highly important in SDLC. Moreover, auditor may use certain manual methods also while performing the audit.
8.       Internal Control Environment & management supervision: The success of CIS highly depends upon the involvement of management in development and maintenance of CIS. Under CIS environment, the risk of fraud & error is relatively high. Thus higher management supervision and better internal control environment is required.
9.       Use of CAAT: The audit under CIS environment cannot be carried by traditional (manual) approaches, effectively. Since the processing of transaction in CIS environment is fast and complicated, the audit must be carried out using computer assisted audit techniques (CAAT). This requires a reasonably good amount of IT skills on part of the auditors.

IMPACT OF CHANGES ON BUSINESS PROCESS

1.       EDI: Electronic Data Inter-change, as the name suggests means exchange of data/information/documents from one user to another, electronically (with the help of computers). In other words, EDI is the computer-to-computer exchange of documents/information in public standard format. Under EDI framework, once transaction (data) is fed into a computer many records are automatically updated. There is no need to re-enter the data into accounting system. This saves a lot of time & effort and enables an error free transaction processing system (TPS).
2.       Process of recording transactions: Unlike, manual system where a transaction goes through a sequence of steps in order to get recorded in the principal books [Entry   Ledger                  Final Accounts (Balance Sheet and Profit & Loss Account)]. Under CIS environment, the above mentioned three processes are carried out simultaneously.
3.       Accounting / Transaction Processing System: As mentioned above the CIS mechanism leads to abandonment of maintenance primary records.

<><> <><> <><> <><> <><> <><> <><> <><> <><> <><> <><>

Batch Processing
(Old Concept)

OLRT / RTOL System
(New Concept)

Time Sharing & Service Bureau
(Distinct & New Concept)

o   It is a simple system and somewhat like traditional manual system.

o   In this process transactions are accumulated and processed in groups.

o   In this files are not updated quickly.

o   E.g.: Accountant accumulates all the cash receipts vouchers for the day and updates his accounting record by the end of a working day.

o   OLRT – On-Line / Real-Time.

o   Under this system transaction are processed as soon as they occur.

o   All the records are updated simultaneously on occurrence of a transaction.

o   E.g.: On issue of a Sales invoice, Sales ledger and debtor’s ledger are updated, automatically.

o   Software packages like Tally, SAP, etc. works like this.

o   Time sharing is a situation where a single computer serves more than one user.

o   A service bureau is an organisation which processes transaction on behalf of its client organisation.

o   E.g.: a service bureau handling payroll (including ESI/PF) for a small company.

o   If an organisation uses services of a service bureau then the auditor must obtain reasonable evidences in support of the controls exercised by the client organisation over the activities performed by service bureau.

o   Nowadays, many of accounting firms are doing this kind of activities.
4.       Data Storage / file system: The data storage facilities and filing system of the organisation has gone through drastic changes as result of changes in the style of carrying out business processes.
<><> <><> <><> <><> <><> <><> <><> <><> <><>

Flat File System (Old Concept)

Integrated Database System (New Concept)

o   In few words, in a flat file system, users own their own data and they are responsible of their respective data files.

o   It leads to data redundancy and repetition of tasks.

o   E.g.: Try and visualise admission system of a government college, where you are asked to fill-up a hand-written form.

Ø On the basis of this form, the Admission Officer makes entry in his register (Book-1) and asks you to deposit the fees with the Cashier.

Ø Now Cashier takes the fees and passes receipt entry in his cash register (Book-2) and issues a Cash Receipt.

Ø Finally, you present the Cash Receipt to the Admission Officer and he issues you the Admit Card and registers your name in Student’s Register (Book-3).

Ø Later on the Accounts Officer will update his own accounting records (Book-4) on the basis Cash Book & Students Register maintained by above mentioned two officers.

o   It is evident from above example that how one simple transaction need to be recorded in 4 separate set of books kept with separate users.

o   In this the transaction is entered only once and the data corresponding to such transaction is shared by multiple users.

o   It works on client-server technology / topology.

o   It contains a set of interrelated files. When input is fed from one end, the master file (server) itself gets updated. This master file can be retrieved by more than one user (clients). Hence reduces data redundancy.

o   E.g.: A person sitting at sales office issue Sales Invoice to its customer. Under this system master files related to Sales and Debtors are automatically updated. The person sitting in back-office can anytime check the Sales data or outstanding debtors.

o   This kind of system is mainly used with On-Line / Real-Time Systems.
5.       Organisational structure: Since there is very high dependence of the organisation of CIS, no-a-days. Thus, there is a need for separate department (group of people) to take care of IT needs of the organisation. Some of the personnel are listed below:
                     i.            EDP Manager: is responsible for overall management and administration of the IT department.
                   ii.            Data Administrator: ascertains the data requirements of various users of information system in the organisation.
                  iii.            Database Administrator: is responsible for operational efficiency and security of the organisational database.
                 iv.            System Analyst: takes care of the information requirement of the users for new as well as existing applications; designs information system architecture to meet these requirements; facilitates implementation of information systems and maintains documentation.
                   v.            System Programmers: is responsible for the maintenance of operating system (OS) software, network and hardware requirements.
                 vi.            Application Programmer: designs new programs and modifies existing to meet the data processing needs; remove errors and improves efficiency of the existing application software.
                vii.            Operation Specialist: plans and controls the day-to-day issues, which emerge during normal course of work, of the users of information.
              viii.            Librarian: maintains library of magnetic media and documentation.
6.       Modified internal control base: In CIS environment since most of the processes are automated, the probability of occurrence of error substantially increases. Moreover, the risk of fraud is higher in CIS environment, as it is less-easily identifiable. Thus, there is a shift in internal control base in CIS environment as compared to traditional manual system. Following are two main categories of internal control required in CIS environment:
<><> <><> <><> <><> <><> <><> <><> <><> <><>

A.      General EDP Controls:
Overall controls over EDP environment.

B.      EDP Application Controls:
Specific controls over specific applications.

 i.      Organisational & Management Controls: These controls are designed to establish an organisation wide frame-work for CIS activities. It includes:

o   Designing appropriate control policies & procedure;

o   Properly segregating duties among various individuals.

 ii.      System Software Controls: These controls are meant to provide assurance that system software is acquired or developed in an authorised manner. It includes:

o   Authorisation, approval, testing, implementation and documentation of new system software and system software modification;

o   Restriction of access to system software and documentation to authorised personnel.

iii.      Application System Development & Maintenance Controls: These control are designed to provide assurance that systems are developed and maintained in an authorised and efficient manner and also to establish control over:

o   testing, conversion, implementation and documentation of new revised system;

o   changes made to application system;

o   access to system documentation;

o   Acquisition of application system from third parties.

iv.      Computer Operation Controls: These help in controlling the operations of the computer system. They assure that:

o   The systems are used for authorised purposes only.

o   Access to computer operation is restricted to authorised personnel.

o   Only authorised programs are to be used.

o   Processing errors are detected and corrected on timely basis.

v.      Data Entry & Program Controls: These assures that:

o   Access to data and program is restricted to authorised personnel.

o   An authorisation structure is established over transaction being entered into the system.

   i.     Control Over Inputs: These controls are drawn to assure that:

o   Transactions are properly authorised before being processed by the computer.

o   There are adequate checks installed in the input form to assure the correctness of data entered by the users.

o   Incorrect transactions are rejected, corrected and if necessary, resubmitted on a timely basis.

 ii.     Control Over Processing & data files: These controls ensure that:

o   Transactions are properly processed by the computer.

o   Transactions are not lost, added duplicated or improperly changed.

o   Processing errors are identified and corrected on a timely basis.

iii.     Control Over Output: They assure that:

o   Results of processing are complete, accurate and through ride media.

o   Outputs so generated, satisfy the requirement of the user.

o   Access to output is restricted to authorised personnel.

AUDIT APPROACH IN CIS ENVIRONMENT

There have been drastic changes in audit approaches and methodologies as a result of emergence of CIS environment. The selection of one of the approaches depends upon the knowledge base expertise of Auditors. There are mainly two approaches for auditing in CIS environment that are explained as follows:
A.      Black-box Approach (Auditing around the computer): In this approach, the auditor is mainly concerned about the Inputs fed-in by the client and the output generated by the system. The auditor completely ignores the internal processing of the Information System.
For example, while testing payroll of a company, under black-box approach, the auditor may first find out the total monthly hours worked by selected employees from their respective time cards and then he may check the salary/wage rate from the rate card to find out the salary/wage payable to each employee. On the basis of above, the auditor ascertains his own output by comparing hours, rates, extensions, over-time & leaves. Finally, the auditor compares his own results with the system generated results.
The biggest advantage of auditing around the computer is the ease and simplicity, since the auditor does not require in-depth knowledge of system application program in order to perform his duties.
On the contrary, a major disadvantage is that, under this approach, the auditor is completely ignorant about the internal processes of the system. Moreover, in order to generate certain complex reports, print-outs cannot be arranged to apply the audit procedures.
White-Box Approach (Auditing through the computer): Under this approach, the auditor is not only concerned with the subject matter of the audit (i.e. inputs and outputs), but also with the internal processing of the computer system. This means to include various auditing with the help of Audit software and computer aided audit techniques (CAAT)

CAAT: COMPUTER AIDED/ASSISTED AUDIT TECHNIQUE

Under CIS environment, the auditing cannot be carried effectively using traditional / conventional and manual techniques of auditing. The auditing through the computer requires the use of various audit software packages and some computer assisted audit techniques.

AUDIT SOFTWARE

The use of CAAT allows the auditor to test the reliability and credibility of the clients’ information system, without being much dependent upon the clients’ software. Now-a-days, there are a plenty of audit software options available with the auditor, with the help of which he can perform his audit independently and effectively. This audit software may include package programs, purpose-written programs, utility programs or system management program. These programs are explained as follows:
   I.            Package Programs:
o   These are generalised computer software packages.
o   These packages come with a lot of generalised features and utilities, which can be used at many clients’ site.
o   Since these software packages are highly generalised and are available across the globe, so one does not face any compatibility issues. Almost all the organisation maintains certain level of compatibility with these programs.
o   E.g. MS-Excel can be the most common example for such programs.
 II.            Purpose-written Programs:
o   These programs are created to perform specific natured audit task.
o   These packages are not available for sale in the open market. The auditor is required to get these programs developed.
o   The auditor may appoint some outside agency to develop the program on his behalf (outsourcing) or he may himself hire the programmers and get it built in-house.
o   While choosing the purpose-written program option, the auditor must take into consideration, the cost related issues.
III.            Utility Programs:
o   These programs are used to perform common data processing functions such as sorting; sampling; documenting; creating, emailing & printing files/reports, etc.
o   Although, these are not specifically designed for the audit purposes but can be extremely useful while performing the audit.
o   E.g. Acrobat’s Adobe Reader; Microsoft’s Office also consist of certain utility programs such as MS-Access, MS-Word, MS-PowerPoint, etc.
IV.            System Management Software:
o   These software/programs are also not specifically meant for audit purpose.
o   These are productive tools, meant to enhance the performance of the Operating System.
o   E.g.: Disk Defragment, Task Manager, Task Scheduler, Disk Clean-up, etc. are some of the examples of system management software.

USES OF CAAT

CAAT may be used to perform following audit procedures:
1.       Detailed and in-depth test of transactions and balances: The auditor can check the transaction in-depth and in detail, since he can select a larger sample size. There is a lot of time saving, while applying CAAT, thus he may apply more time to analyse a transaction.
2.       Application of complex analytical review procedures: The can perform complex procedure and calculations with the help of CIS. He may extract detailed and complex reports also to support his procedure.
3.       Application of statistical sampling techniques to extract the relevant data: While extract data from the client’s information system, the auditor can take help of complex statistical and scientific techniques in order to improve the quality and prudence of sample selected. Application of statistical and scientific methods is almost impossible, without the help of computer systems. E.g.: MS Excel is an application program that contains a number of statistical and mathematical formulae and techniques.
4.       Test of general EDP controls: The auditor may check various input controls; processing controls; output controls; data storage, transmission and security controls. The auditor can check the access rules and procedure.
5.       Test of Application controls: The auditor can check the functioning of various applications installed and running in the system. The auditor may check the authenticity of various application programs.
6.       Re-Performing calculations and processing: The auditor can also re-perform calculations performed by the client’s accounting system.
7.       Better reporting Methods: Under CIS environment there are a number of reporting techniques are available with the auditor. The auditor can use of various graphical designs and multimedia techniques in order to make his report effective, concrete and more catchy. E.g.: MS PowerPoint is one of the software used to prepare presentations.

CONSIDERATIONS IN USE OF CAAT

While planning an audit with the help of CAAT, the auditor must take care of the following factors:
1.       IT knowledge and experience of the Audit Team: Both the auditor and the audit team should have sufficient skills and experience to handle the audit under CAAT.
2.       Availability of relevant Audit Software and suitable computer facilities: The auditor can use the CAAT and maintain the independence only if he has sufficient infrastructure, in the form of computer hardware and audit software, available with him. Otherwise the cooperation and assistance of the client entity’s personnel will be required.
3.       Impracticability of manual test: Now-a-days, many organisations are adopting eco-friendly approaches while performing the business operations. Moreover, many computer information system perform tasks where there is no hard copy evidence is generated. Hence making it impractical for the auditor to perform the tests manually.
4.       Effective and Efficiency: With the help of CAAT, it is possible to test large number of transactions together with a better level of precision. This brings efficiency and effectiveness in performing the audit assignment.
5.       Time Constraint: The auditor is required to perform the assignment in the limited time span. Whereas, a large amount of data is required to be stored (such as transaction details and reports) for such short audit period. Thus the auditor is required to make arrangement for retention and retrieval of data.
6.       Detection of fraud and error: The CAAT allows the auditor to plan and execute the audit work more effectively with the help of sophisticated audit software. But, under CIS environment, frauds are intentional and generally deep-laid. Moreover, there are chances that some frauds are highlighted, but there is no concrete evidence to prove the same.  Thus it cannot be said that the auditing through the computer will increase the probability of detection of fraud.
7.       Use of CAAT in small organisations: In small business organisation, use of CAAT might not be a cost-effective and viable alternative. This is because of two reasons, first the revenue per assignment is not very huge, and second the client entity might not have the appropriate technical infrastructure to run CAAT.

STEPS INVOLVED IN APPLICATION OF CAAT

Following steps are required to be undertaken by the auditor in effective application of CAAT:
1.       set the objective of CAAT application;
2.       determine the content and accessibility of the entity’s files;
3.       determine the scope: identify the specific files or databases to be examined;
4.       understand the relationship between the data tables where a database is to be examined;
5.       define the specific tests or procedures and related transactions and balances affected;
6.       define the output requirements;
7.       arrange files & databases: arrange with the user and IT departments, if appropriate, for copies of the relevant files or database tables to be made at the appropriate cut-off date and time;
8.       audit team: identify the personnel who may participate in the design and application of CAAT;
9.       cost effectiveness: refine the estimates of costs and benefits;
10.   follow-up: ensure that the use of CAAT is properly controlled;
11.   arrange the administrative activities, including the necessary skills and computer facilities;
12.   reconcile data to be used for CAAT with the accounting and other records;
13.   execute CAAT application;
14.   evaluate the results;
15.   document CAATs to be used including objectives, high level flowcharts and run instructions; and
16.   Assess the effect of changes to the programs/system on the use of CAAT.

TESTING CAAT

Before applying or completely relying CAAT, the auditor must first obtain reasonable assurance of the integrity, reliability, usefulness, and security of CAAT through appropriate planning, design, testing, processing and review of documentation. There are many testing methods; some of them are listed below:
1.       Test Data: The auditor enters the test data into the entity’s computer system and compares the result with predetermined results.
2.       Test Packs: It involves testing a set of data, chosen by the auditor from the entity’s system and testing it separately from the normal processing procedure.
3.       Integrated Test Facility: In this approach, auditor establishes a dummy unit, into which test transactions are posted during the normal processing cycle of the entity. However, these dummy entries are eliminated later on.

MEASURES TO EXERCISE CONTROL OVER CAAT APPLICATIONS

Since, most of the audit procedures performed using CAAT are highly automated and machine driven. Moreover, many-a-times, a situation may occur, where the auditor also requires the cooperation of client entity’s IT staff for extensive knowledge of computer installation. In such circumstances, the chances of inappropriately influencing the CAAT results by the client’s staff. Thus, while applying CAAT in audit procedure, due care and control must be exercised. Following points are important to consider:
o   The kind of audit procedure that needs to be performed by CAAT;
o   Review the entity’s general controls that may affect the integrity of CAAT, for example, controls over program changes and access to computer files. When such controls cannot be relied on to ensure the integrity of CAAT, the auditor may consider processing CAAT application at another suitable computer facility; and
o   Ensure appropriate integration of the output by the auditor into the audit process, and later on in drawing audit conclusions and reporting.
The success or failure of auditing with CAAT highly depends upon the degree of control exercised on the overall application of CAAT. The control over the CAAT applications can be:
        I.            Control Over Software Application:
a.       Participation in design and testing of CAAT: The success of CAAT significantly depends upon the participation of the principal auditor in the designing and testing of CAAT.
b.      Checking the coding: Wherever applicable, detailed checking the coding of the program to ensure that it is in-line with the program specification.
c.       Compatibility with client’s system: Asking the client entity’s IT staff to check the compatibility of the audit software with the operating system used in the client’s information system.
d.      Testing the software: Before running the audit software on the main system’s data files, the software must be run on small test files in a different system.
e.      Testing the test results: The results of the above test.
f.        Addressing the security issues: The must establish appropriate security measures to safeguard the integrity and confidentiality of client’s data.
g.       Regular follow-up: Sufficient evidence must be obtained so as to ensure that the audit software is functioning, as planned. And also ensure that there is proper vendor support.
      II.            Control Over Test Data:
a.       Controlling the sequence in which the test data needs to be sent.
b.      Initially, performing the test runs with small chunks of test data, before submitting the main audit test data.
c.       Predicting the results of the test data and comparing it with the actual test data output.
d.      Confirming that the current version of the programs was used to process the test data.
e.      Ensure that the client entity used the same version of software throughout the audit period, on which the audit is being conducted.
f.        Make sure that dummy entries are deleted, which were fed in the system, while performing the audit.
The auditor should one thing in mind while performing the audit that, “CAAT is one of the ‘solutions’ for Audit and no the ‘substitute’ to Audit."

No comments:

Post a Comment