Chapter 17: Computer Audits ACCT620 Internal Accounting Otto Chang Professor of Accounting

Design-Phase Audit Review documentation (system design and users’ manuals) for completeness Assess the adequacy of security Review the cost/benefit analysis prepared during planning. Is is reasonable? Appraise the appropriateness of applications Test compliance with described design procedures

Design-Phase Audits--continued Compare actual costs and benefits to estimates Compare operations to stated objectives by emphasizing: –Timeliness and comprehensiveness of output –Effectiveness of edit and logic checks –Demand for EDP, operating efficiency –Fulfillment of user’s need, adequate personnel

Planning for Computer Audits The materiality of EDP: how often and important to audit EDP operation? The hardware configuration: will determine what type of procedures and generalized audit software to be used Coordinating with computer personnel: for access and uses of computers Note: Auditor must refrain from actually participating in the design of computer system

The Preliminary Survey Security control: limits access to sensitive equipment and data Safeguard control: protects computers Physical document control: pre-numbered forms and protection of records and data Design specification control: are the system properly designed to meet the objectives?

Preliminary Survey--continued Risk exposure control: –Continuous monitoring: periodic testing and review reports on usage, turnaround, service –System risk: system failure, programming error, unauthorized alteration –Maintenance control: adequately maintained? Systems software control: are echo checks, run-to-run totals, “read-only” control enacted?

Preliminary Survey--continued Procedural control: do operations follow procedures manual? Application control: –Input: to ensure the database is complete, accurate, and authorized –Processing:to ensure correct processing and detection of all errors –Output: authorized access to computer report

Input Controls in an EDP Environment Authorization: –internal check for users and qualification –review and approval of input documents Edit checks: –alphabetic vs numeric, field size, field sign, check digit, and logic check Data conversion: –record count compared to batch totals –limit checks and exception reports

Processing Controls in an EDP Environment Totals: compare input total to processing total Correct processing: –Verify file ID or label before processing –Use program boundary protection to restrict file access during runs Access: review operator log, recovery journal Hardware: check parity of binary data and insert overflow checks on memory capacity Edit: match input codes to master files

Preliminary Survey--continued Personnel control: separation of persons handling input, processing, output, documentation. Rotation and required vacation for operators. Efficiency and effectiveness of system: –Are expectations being met? –Does scheduling follow a priority policy? –Is computer configuration adequate?

Preliminary Survey--continued Contingency plan: is there a formal plan for access to alternate computer facilities? Special risks in: – data privacy, network failure, data omission and errors, other legal implications –Image processing: intentional altering, destroying, counterfeiting –Service center:control over input and output

–Electronic Data Interchange (EDI): linked systems of suppliers, manufacturers, creditors and other parties. Paperless and timely. Auditors must evaluate access, transaction controls, data integrity, and auditability. – Virus: Frequency of incidents: 4 per year in The cost to recover from an average incident involving 3-4 computers is $1,200. With 1000 computers, annual cost could reach $176,853.

The Audit Program Control review and evaluation Tests of controls. Test of data –Use of generalized audit software –Computer audit techniques: test data, parallel simulation, controlled processing, ITF, tagging, mapping and program analysis

Computer Audit Techniques Test data: only checks certain expected controls Parallel simulation: auditor creates own software to simulate actual processing. Processing logic may not be comparable. Controlled processing or reprocessing: less expensive, input data may still be faulty Integrated Test Facility (ITF): dummy data are processed with live data. Problem is reversing the bogus data. Tagging or tracing: test data are tagged to avoid contamination. Insufficient tagging may miss major logic points. Tagged data maybe detected by auditee. Mapping and program analysis: identify logical paths of a program or detailed analysis of process code. Slow and costly.

Innovative Means of Evaluating Database Systems Difficult to back up, the normal grandfather-father-son tapes do not exist Tagging and tracing is complicated by joint use of a single file among several users Requires creative attitudes of “trying to beat the system,” i.e., trying to discover if means are available to gain unauthorized access or to make inappropriate changes in data files.