AUDIT IN COMPUTERIZED ENVIRONMENT Ashok Seth, B.Sc, F.C.A. DISA (ICI) Lucknow ashok.seth@gmail.com Chairman of the session CA Girish C Gupta ji, paper writers of this technical session, fellow brothers and dear students. It is indeed a pleasure to submit key note in the students seminar on the occasion of celeberation of Diamond Jubilee year of our Institute

Change in the Environment Technological Revolution. Increase in Volumes & Complexities of transactions. Time & Information became most sought after. Fall in Prices of Computer Hardware. Availability of user friendly software. Ashok Seth 3rd July 2008

Graduate from Tick to Click & Mouse to CAAT Ashok Seth 3rd July 2008

No Change in overall objective To establish reliability & integrity of information To assess compliance with policies, laws & regulations To see that assets are being safeguarded To appraise economical & efficient use of resources Accomplishment of established objectives & goals Ashok Seth 3rd July 2008

Effect of EDP Environment On procedures in obtaining sufficient understanding of accounting & internal control systems On risk assessment method to be followed Designing of tests of control and substantive procedures to meet audit objective Ashok Seth 3rd July 2008

EDP Characteristics Uniform Processing of Transactions Potential for undetected errors & irregularities Transaction Trail may be available for short duration or only in electronic form. Automatic initiation & subsequent execution of transaction by computer Ashok Seth 3rd July 2008

Problems with EDP systems Unauthorized persons may gain access to data or program Transactions may not be completely processed Data may become corrupt giving wrong report Programmers may make unauthorized changes to software Difficult to Trace input errors Lack of Supervisory controls Ashok Seth 3rd July 2008

Audit Approach Auditing Around Computers Auditing through Computers Ashok Seth 3rd July 2008

Auditing Around Computers Involves selection of representative sample of source documents and tracing them to final destination The controls and procedures used in processing the data were considered unimportant Ashok Seth 3rd July 2008

Auditing Through Computers This approach de-emphasizes testing of records and focuses on the examination of the processing system to enhance the probability of system generated records being accurate. Ashok Seth 3rd July 2008

Auditing Through Computers- Steps: - Review and evaluation of systems of controls Verification of record contents and generation of evidential information (Audit Evidence) from database Ashok Seth 3rd July 2008

EDP Controls General EDP Controls EDP Application Controls Ashok Seth The effectiveness or otherwise of these controls will determine the nature and extent of substantive verifications required Ashok Seth 3rd July 2008

General EDP Controls Access controls: - to prevent Unauthorized access to online terminal devices, programs and data Entry of unauthorized transactions Unauthorized changes to data files. Use of programs that have not been authorized. Controls over passwords These include the use of passwords and specialized access control software and also physical controls Ashok Seth 3rd July 2008

Contd Programming Controls to prevent or detect improper changes to programs. The access may be restricted through program development libraries. The changes in programs are required to be documented. Transaction Logs- Reports which are designed to create audit trail Transaction Logs often documents the source of transactions also (terminal, Time and user) . Ashok Seth 3rd July 2008

EDP Application Controls Pre Processing Authorization Changes to standing data Data Processing controls, reasonableness and other validation tests. Cut off procedures File Controls procedures- to ensure correct data files are used. Balancing:- process of establishing control totals to ensure accuracy Cut off procedures are important specially where there is continuous flow of transactions in a RTS. Changes to master files are required to be controlled more stringently. Ashok Seth 3rd July 2008

Computer Assisted Audit Techniques (CAATs) Includes: - Test Data Techniques Generalized audit software (GAS) Utility Software Ashok Seth 3rd July 2008

Test Data techniques Live Processing with dummy data Dummy processing with dummy data Integrated test facility On line testing The major problem is design of comprehensive set of transactions. In ITF test transactions are processed through the system in the production mode. The technique is particularly effective in situation where the visibility of the audit trail has been impaired or where the complexity of the system makes it difficult to trace the flow of transactions. On-line testing provides an effective means of testing edit and validation controls. When on line testing is used to test edit and validation controls, satisfactory results obtained from an attempt to enter an appropriate combination of valid and invalid transactions can convince the auditor that only valid transactions are accepted by the system. Ashok Seth 3rd July 2008

Why CAATs Absence of input documents or the lack of a visible audit trail Effectiveness and Efficiency of auditing procedures improved Information processing environments pose a stiff challenge to collect sufficient, relevant and useful evidences since the evidence exists on magnetic media and can only be examined using CAATs. With systems having different hardware and software environments, different data structure, record formats, processing functions, etc , it is almost impossible for the auditors to collect evidence without a software tool to collect and analyze the records Ashok Seth 3rd July 2008

Functional Capabilities of CAATs File access: Enables the reading of different record formats and file structures File reorganization: Enables the indexing, sorting, merging and linking with another file Data selection: Enables global filtration conditions and selection criteria Statistical functions: Enables sampling, stratification and frequency analysis. Arithmetical functions: These functions facilitate re- computations and re-performance of results. Ashok Seth 3rd July 2008

How to use CAATs? Set the objective of the CAAT application Determine the content and accessibility of the entity's files Define the transaction types to be tested Define the procedures to be performed on the data Define the output requirements Identify the audit and IT personnel who may participate in the design and use of tests for CAATs. IS Auditor need to have adequate computer knowledge, expertise and experience in using CAATs. They need to formulate appropriate methodology for using CAATs. This includes having a walk- through of the system to identify areas of weakness. Based on the results, IS Auditors will perform compliance tests, evaluate the results and if required, design substantive tests. CAATs can also be used to carry out detailed testing and collect evidences. Based on the results of these tests, IS Auditors would recommend suitable control measures as relevant Ashok Seth 3rd July 2008

General Uses and Applications of CAATs- for example Exception identification Control analysis: Identify whether controls as set have been working as prescribed Error identification: Identify data which is inconsistent or erroneous. Statistical sampling Verification of calculations Completeness of data: Identify whether all fields have valid data. Contd Ashok Seth 3rd July 2008

Obsolescence of inventory Undeserved discounts for rapid payment Duplicates Obsolescence of inventory Undeserved discounts for rapid payment Accounts exceeding authorized limit Overdue invoices Ashok Seth 3rd July 2008

Strategies for using CAATs Identify the goals and objectives of the investigation or audit Identify what information will be required Determine what the sources of the information Identify who is responsible for the information Review documentation to know the type of data in the system Review documentation to know flow of data, understand data, Know what each field in the data set represents and how it might be relevant. Contd Ashok Seth 3rd July 2008

Develop a plan for analyzing the data What - Specific objectives that should be addressed by the analysis When – Define the period of time that will be audited, and secure the data for that period Where – Define the sources of the data to be analyzed (Accounts payable, payroll) Why – Reason for performing the tests and analysis (general review, fraud audit) How – The types of analysis planned to be carried out by the audit Ashok Seth 3rd July 2008

Precautions in using CAATs Identify correctly data to be audited Collecting the relevant and correct data files Identify all the important fields that need to be accessed from the system State in advance the format the data can be downloaded and define the fields correctly Ensure the data represent the audit universe correctly & completely. Ensure the data analysis is relevant and complete. Contd Ashok Seth 3rd July 2008

Perform substantive testing as required. Information provided by CAATs could be only indicators of problems as relevant and perform detailed testing as required. Ashok Seth 3rd July 2008

THANK YOU Ashok Seth 3rd July 2008