SECTION 8

Auditing Complex EDP Systems

Auditing Complex EDP Systems

• Computer used extensively– simple batch processing

– complex on-line, real-time processing

• Computer affect two aspects if audit risk– assessing control risk

– managing detection risk

Around vs. Through the Computer

• Around

– manually calculate INPUT and trace to OUTPUT

• Through

– test the controls in the computer

Impact of Computer Controls

• Change in the Audit Trail

– less documentation offset by programmed controls

– file storage reduces need for hard copy

– testing shift to examination of EDP controls

• Combination of Functions

– computer processing allows combining functions that are usually separate in manual systems

– e.g. input editing of a sales transaction» customer number» credit limit» inventory number and price

Types of EDP Accounting Systems

• Batch Processing

– accumulated and processed in groups

– what is the main form of control?

– the main problem?

Batch Processing System

Convert to machine

readable form

Input

T/A TapeOutput

CompareBatchTotal

Process

Transactions

Old Master New Master

• Real-Time Processing

– transactions are edited on-line as they occur

– continuous file updating

– more complex than batch

– how does this method affect the audit trail?

Batch Processing System

Input

Terminal

Master

File 2

Master

File 3

Master

File 1

Update

Time Sharing and Service Bureaus• Time sharing

– an entity processes data for itself and other entities» i.e. shares its computer

• Service bureau

– process transactions for other entities» i.e. this is their business

Separate Files vs. Integrated Data Base

• File System

– main characteristic?

• Data Base

– main characteristic?

Hardware Configurations• Electronic Data Interchange (EDI)

– on-line format

– computer-to-computer exchange

– public standard format» Accredited Standards Committee of the American National

Standards Institute ANSI X12

Two methods for EDI

1. The Direct Approach

Suppliers

Computer

Manufacturers

Computer

2. The Indirect Approach

Third Party NetworkCompany Computer

Customer 1

Customer 3

Customer 2

• Small Computer Systems

– small firms

– low cost and advanced hardware

• Distributed Data Processing

– companies with branches and divisions

– geographic dispersion

A Distributed System

Head Office Mainframe

Branch 1

Computer

Branch 3

Computer

Branch 2

Computer

Branch 4

Computer

– Types of computers at the branches?

Kinds of EDP Controls

• Two main classifications

1. General controls

2. Application controls

General Controls

a. Organization and Operating Controls

– segregation of duties very important

EDP Manager

ProgrammersSystems

Analysts

Computer

OperatorsData Control

Data

Librarian

Input

Preparation

Director of MIS

Chief Operating

Officer

b. Systems Development & Documentation

– control over definition, design, development, testing, and documentation of systems

– once designed and developed, the system must be thoroughly tested

– systems and programs must be documented1.

2.

3.

c. Access Controls

– prevents unauthorized use

– batch systems» who controls access in this case?

– on-line systems» primary control for access?

d. Data and Procedural Controls

– to control daily operations

– backup files on and off the premises

– environmental controls

Application Controls

– a separate set for each application controls

– How are application controls classified?

a. Input Controls

– computer edit controls

– ensure completeness and accuracy of input

b. Process Controls

– concerned with data manipulation once it is in the computer

– what type of control can used as a process control?

c. Output Controls

– verification and distribution of output

Techniques for Testing EDP-Based Controls

• Best to understand as a number of steps as shown in the following flowchart

Understand

EDP Controls

Assess Control

Risk

Design

Substantive Tests

Document

Understanding

NOTest

further

Test ControlsYES

Gaining an Understanding of EDP Controls

Two main ways:– observation and enquiry– studying the system and program documentation

1. Observation and Enquiry– should look for the following:

a Segregation of functions

b Control of access to files and programs

c Approval of new systems and programs

d Existence of hardware and environmental controls

e The functioning of data and procedural controls

f Backup files

2. Systems and Program Documentation

– Documentation is an integral part

– Should include1.

2.

The Testing of EDP Controls

– Auditor should be able to identify those controls that are necessary for the effectiveness of the application

– by testing these controls, which component of audit risk may be reduced?

– Two ways to look at testing1.

2.

1. Auditing Around the Computer

Client Input

CPU

Client Output

Client InputAuditor Predetermines

Output

Predetermined Output

Audit Comparison

2. Auditing Through the Computer

Auditor Input

CPU

Output

Auditor InputAuditor Predetermines

Results

Predetermined Results

Comparison

Techniques for Auditing Through the Computer

1. Test Data Approach

– simulated data

– of what should this data consist?

– main problems of this approach1.

2.

2. Mini Company Approach

– also called the Integrated Test Facility

– a fictitious entity is created

– fictitious transactions are processed along with regular transactions

– any problems with this approach?

3. Simulation / Auditor’s Program Approach– Auditor creates an application program that simulates the system– uses client data as input

– potential uses of this approach» sampling

» computations

» comparing

» summarizing

4. Generalized Audit Software

– most common type of audit software

– transportable from one client to another

– independent

– limited by the availability of the clients data files

Small Computer Systems

• Widespread

• Weaknesses in General Controls

1. Lack of segregation of duties

2. Location of the computer

3. Limited Knowledge of EDP

• Special Consideration for Application Controls

1. Data Entry

2. Data processing

3. Absence of Limit and Reasonableness Tests

• Study and Evaluation of Internal Control

– The effect of computer size on the auditor

– General controls are often weak

– More reliance on application controls

– If application controls and any manual controls are not reliable, what should the auditor do with regards to testing?