|
|
|
|
Impact of computers on auditing In this chapter we look, in greater detail, at how computers have affected the way in which auditors assess audit risks and consequently on how they determine their audit approach. Since the 1970s, SAIs around the world have seen a large increase in the number of clients using computers to process transactions and prepare their financial statements. he move towards more automated financial systems has had an impact in the way auditors carry out their work. The impact can be summarized under four main headings: 1. Changes in the audit trail and audit evidence; 2. Change in the internal controls environments; 3. New opportunities and mechanisms for fraud and error; and 4. New audit procedures. Each of these effects are discussed in these notes. 1 Changes in the audit trail and audit evidence The existence of an audit trail is a key financial audit requirement, since without an audit trail, the financial auditor may have extreme difficulty in gathering sufficient, appropriate audit evidence to validate the figures in the client’s accounts. Data retention and storage A client’s storage capabilities may restrict the amount of historical data that can be retained “online” and readily accessible to the auditor. If the client has insufficient data retention capacities the auditor may not be able to review a whole reporting period’s transactions on the computer system. For example, the client’s computer system may save on data storage space by summarizing transactions into monthly, weekly or period end balances. If the client uses a computerized financial system all, or part of the audit trail may only exist in a machine readable form. Where this is the case, the auditor may have to obtain and use specialized audit tools and techniques which allow the data to be converted and interrogated. Computerized financial data is usually stored in the form of 1s and 0s, i.e. binary, on magnetic tapes or disks. It is not immediately obvious to the auditor what the 1s and 0s mean. The data must be translated into ‘normal’ text by an additional process before it can be read and understood by the auditor. Since there are various formats for representing electronic data the auditor must find out what format the client has used, e.g. simple binary, hexadecimal, ASCII or EBCDIC, etc. 2 Change in the type and nature of internal controls The internal controls within a client’s financial systems, both manual and computerized, can be divided into several categories. · Personnel: Whether or not staff are trustworthy, if they know what they are doing and, If they have the appropriate skills and training to carry out their jobs to a competent standard. · Segregation of duties: a key control in any financial system. Segregation basically means that the stages in the processing of a transaction are split between different people, such that one person cannot process a transaction through from start to finish. The various stages in the transaction cycle are spread between two or more individuals. · Authorization procedures : to ensure that transactions are approved. In some on-line transaction systems written evidence of individual data entry authorization, e.g. a supervisor’s signature, may be replaced by computerized authorization controls such as automated controls written into the computer programs (e.g. programmed credit limit approvals). · Record keeping: the controls over the protection and storage of documents, transaction details, audit trails etc. · Access to assets and records: In the past manual systems could be protected from unauthorized access through the use of locked doors and filing cabinets. Computerized financial systems have not changed the need to protect the data. A client’s financial data and computer programs are vulnerable to unauthorized amendment at the computer or from remote locations. The use of wide area networks, including the Internet, has increased the risk of unauthorized access. The nature and types of control available have changed to address these new risks. · Management supervision and review: Management’s supervision and review helps to deter and detect both errors and fraud. The next issue to consider is how these basic types of control differ in a computerized environment. For example: Segregation of duties: segregation of duties in a computerized system is different from segregation of duties in a manual system. In the manual accounting system, the auditor was primarily concerned with segregation of duties in the finance department. However, in a computerized system, the auditor should also be concerned with the segregation of duties within the IT department. Within an IT environment, the staff in the computer department may be the only client staff with a detailed knowledge of the interrelationship between the source of data, how it is processed and distribution and use of output. It is possible that the client’s IT personnel will be aware of any control weaknesses which exist. It staff may also be in a position to alter transaction data or even the financial applications which process the transactions. This gives them the knowledge and means to alter data, all they would then require is a motive. Concentration of programs and data: Transaction and master file data (e.g. pay rates, approved suppliers lists etc.) may be stored in a computer readable form on one computer installation or on a number of distributed installations. Computer programs such as file editors are likely to be stored in the same location as the data. Therefore, in the absence of appropriate controls over these programs and utilities, there is an increased risk of unauthorized access to, and alteration of financial data. The computer department may store all financial records centrally. For example, a large multinational company and its offices in many locations may store all its computer data in just one centralized computer centre. In the past, the financial information would have been spread throughout a client’s organization in many filing cabinets. If a poorly controlled computer system were compared to a poorly controlled manual system, it would be akin to placing an organization’s financial records on a table in the street and placing a pen and a bottle of correction fluid nearby. Without adequate controls anyone could look at the records and make amendments, some of which could remain undetected. 3 New causes and sources of error System generated transactions Financial systems may have the ability to initiate, approve and record financial transactions. This is likely to become increasingly common as more organizations begin to install expert systems and electronic data interchange (EDI) trading systems. The main reason clients are starting to use these types of system is because they can increase processing efficiency ( for example, if a computer system can generate transactions automatically there will be no need to employ someone to do it manually, and hence lower staff costs). Automated transaction processing systems can cause the auditor problems. For example when gaining assurance that a transaction was properly authorized or in accordance with delegated authorities. The auditor may need to look at the application’s programming to determine if the programmed levels of authority are appropriate. Automated transaction generation systems are frequently used in ‘just in time’ (JIT) inventory and stock control systems: When a stock level falls below a certain number, the system automatically generates a purchase order and sends it to the supplier (perhaps using EDI technology). Systematic Error Computers are designed to carry out processing on a consistent basis. Given the same inputs and programming, they invariably produce the same output. This consistency can be viewed in both a positive and a negative manner. If the computer is doing the right thing, then with all other things being equal, it will continue to do the right thing every time. Similarly, if the computer is doing the wrong thing and processing a type of transaction incorrectly, it will continue to handle the same type of transactions incorrectly every time. Therefore, whenever an auditor finds an error in a computer processed transaction, s(he) should be thorough in determining the underlying reason for the error. If the error is due to a systematic problem, the computer may have processed hundreds or thousands of similar transactions incorrectly 5 New audit processes Within a computerized environment the auditor may be required to adopt a different audit approach to gain sufficient audit evidence to provide an opinion on the financial statements. For example, new procedures to cope with different internal controls, new causes of errors or the different nature of audit trails. The new audit processes and procedures may include the use of computer assisted audit techniques (CAATs).
Recent Media Coverage of Information technology
|
Notice: These notes are intended to be a supplement, not a substitute, to attending class.
|
|
Send mail to
webmaster@it4castudents.cjb.net with
questions or comments about this web site.
|
