AUDITING: A RISK

ANALYSIS APPROACH
5th edition

Larry F. Konrath
Electronic Presentation
by Harold
O. Wilson

Chapter 8

KEY CONCEPTS OVERVIEW

Computer Based Information Systems
(CBIS) impact on firm policies &
procedures, and on auditing (controls
& testing)
CBIS are unique (hardware, processing,
files, storage, scope, especially in global
e-commerce)
CBIS Controls (General controls,
Application controls, User controls)

KEY CONCEPTS OVERVIEW

Auditors audit around the computer
and/or through the computer
Audit risks in CBIS scenarios escalate
each year (due to direct data inputs,
minimal hard-copy, internal storage)
Applications of computer assisted testing,
changes in evidence gathering

LEARNING
OBJECTIVES
Differentiate auditing around vs.
through the computer
Identify various types of CBIS
Define major CBIS accounting controls
Develop an approach to assessing control
risk in CBIS accounting applications
Evaluate/manage audit risk factors in
CBIS accounting applications

COMPUTER BASED
INFORMATION SYSTEMS
Personal Computerscommonplace
Wide Area Networks(WAN) & Local Area
Networks (LAN)--end-user sharing
Database Management Systems (DBMS)-integrated collections of stored data
Internet and Intranet applications
Artificial Intelligence (sequenced decision rules)
programs using Knowledge Engineers and
Knowledge Bases (embedded cases)

A note on technology
Information processing systems have
encouraged continuous auditing throughout
a clients fiscal year. Computer systems and
personnel (and changes) tend to obscure (or
destroy) audit trails traditionally traced by
auditors.

Auditor ingenuity is continuously

challenged!

FAQ?
What are major impacts of CBIS advances
on auditing and assurance services?
Trends in computer use impact two aspects of
audit risk, but not audit objectives:
Assessing control risk (need for CBIS control)
Managing detection risk (verifying
transaction data processed by CBIS, and
balance data stored in CBIS)

Questions arise as to CBIS effectiveness,

confidentiality, control.
Vulnerability to computers increases risks.
There are major concerns over privacy,
access codes, internet security, etc.
Internal control becomes a very broad
concept, given current technology.

A consistent truism:
Optimal segregation of
functions exists when
collusion is necessary
in order to circumvent
controls.

IMPACTS ON AUDITING
Changes in the audit trail
Less documentation, but more consistency
Less hard-copy available, but better data access

Combining of functions
Computerized checking, transaction logs
Less segmentation of details, and/or people

Auditing around the black box

vs. through the white box

FAQ?
What is the audit trail?
The documents & records (evidence of
executed transactions) that allow tracing
transactions through the accounting cycle in
the accounting and information system.
Auditing around the computer is to
pretend its just a super-sized typewriter!

Auditing through the

white box
Direct testing--processes auditors known
data properly, completely, etc.
Auditor observes the control functions in
action (e.g., check digits, limit tests).
Gives evidence of an underlying process.
BUT, is the evidence only about today and
the usual data? Is it playing client?

Observations on auditing with,

around, or through computers
The difficulty: After-the-fact testing of data,
computers, & applications may or may not
replicate what happened during the period
under audit.
The responsibility: Auditors must develop
confidence in the controls and in
input & outputs while performing
other auditing techniques as well.

TYPES OF CBIS

Centralized vs. Distributed (DDP) systems

OLRT vs. Batch processing systems
Multi-user (DBMS) vs. flat file systems
Interactive vs. stand alone system
Various degrees of networking, geographic
separations, e-commerce functions,
volumes/types of transactions, etc., and
focus on end users needs.

ELECTRONIC COMMERCE
SYSTEMS
Scope:
Merchandise and securities markets
Bookkeeping and tax services
Consulting and teaching

Risk concerns (control over inputs):

Access by customers and employees (complex!)
Data security concerns (EDI)
Internet involvement (an ultimate one- write
system)

Remember: The Auditors initial

concern is transaction cycles!
All firms have
Sales
Cash In
Cash Out
Purchases
Payrolls
AND documentation should underlie the
debits and the credits to these accounts!

CBIS CONTROLS:
1. General Controls
Control procedures that are interactive
with two or more control objectives.
Relate to the organizational structure of
the CBIS function (safeguarding data
files & programs, documentation, etc.).
Relate to all (or many) computerized
accounting activities.
Of major concern to auditors.

 CBIS should be separate from user

departments, and not initiate
transactions.
CBIS Manger reports to top management.
Other Personnel: System Analysts (design
&
modify system to meet user needs),
Programmers, Computer Operators &
Programmers, Librarian (custody over
files, programs, control access), Data Control
Group (similar to internal audit)
CBIS testing precedes going on line.

 Increased dependence on computers

prompts all user groups to participate in
design & development of CBIS
Documentation includes objectives, access
controls (approvals, authorizations),
flowcharts, and instructions.
Procedural controls include protocols, data
encryption, telecommunications, network
monitoring software, etc.

CBIS CONTROLS:
2. Application Controls
Control procedures that are designed to
achieve specific control objectives.
Relate to individual computerized
accounting applications.
Organized into input controls, processing
controls, output controls.

 There are application controls for sales,

cash receipts, cash disbursements,
purchases, and payrolls.
Input controls: accuracy & completeness
(editing, audit trails, transaction logs,
e.g., reasonableness tests, test digits)
Processing controls (headers, footers,
record counts, echo checks)
Output controls (verifications, proper
distribution to authorized recipients)

CBIS CONTROLS:
3. User Controls
Control procedures that are established by
departments other than Data Processing,
whose transactions are computer
processed.
Relates to ensuring accuracy of data
processing (e.g., approvals of inputs,
review of outputs).
Techniques include control totals, hash
totals, comparative summaries.

 Auditors often evaluate a mix of CBIS

and user controls.
If CBIS controls are weak, auditors
default to evaluating user controls as
possible compensating controls.
Audit focus on User controls may be save
audit time in some cases, since
evaluating complex CBIS controls may
contribute little to audit objectives.

AUDIT TECHNIQUES
for testing CBIS controls
Develop the audit program for needed
substantive testing in CBIS environments:
Review the CBIS and identify areas for
specific testing of controls
Study the system and program documentation
Make tests
Evaluate the control risk

AUDIT TECHNIQUES
for testing CBIS
controls
Auditor considerations:

Organization of the CBIS functions

Flowcharts (inputs, outputs, controls, sequences)
Access to files, programs, hardware
Modification processes
Back files, disaster recovery plans
Data Control Group functions

AUDIT TECHNIQUES
for testing CBIS controls
Auditor concerns in evaluating & testing
General Controls:

Possible manipulation of data, misreporting

Lack of documentation, physical safeguards
Access controls (passwords, security levels, etc.)
Improper system design, unauditable data
Organizational controls (e.g., debugging, exception
reports, etc.)

AUDIT TECHNIQUES
for testing CBIS controls
Auditor concerns--General Controls:
Extent of internal auditor involvement
Authorization issues
Data protection (antivirus software, backups,
e-commerce security, network monitoring,
protocol controls)
Assurance that programs designed and intended
to be used are, in fact, the programs in use.

FAQ?
Would auditor involvement in the design of
the clients CBIS and its controls, be an
advantage or disadvantage in audit practice?

Its controversial. Many believe

that such would seriously
compromise

COMPUTER ASSISTED
Audit Techniques (CAAT)
Test Data (hypothetical answers & errors)
used with the clients computer:
Would their computer find?
Tagging & Tracing technique
Systems Control Audit Review File
(SCARF) using specific control points
BCSE (for large clients!)

CAAT
Parallel Simulation an automated
version of auditing around the
computer, e.g., Clients software
or data used with CPAs computer
or software (known reliability).
Mixing such factors, surprise
audit, may be effective
or may be
inadvisable; maybe dangerous.

CAAT
Artificial Intelligence & Expert Systems
(AI/XS):
Software packages based on
decision rules, knowledge base systems
(KBS), and expertise in defined domains.
Expert System Shells: Software prompting
effective transference of expertise to
the less experienced, by utilizing a
critical sequence of input variables.

 Expert Systems Shells: software dependent

on which knowledge base underlies the XS-being used in grant insurance coverage,
predicting fraud or bankruptcy, solving tax
cases, aid in forensic accounting cases (e.g.,
kiting), and designing audit programs.
Neural network: computer system designed
to replicate the functioning of the human
brain, i.e., simulated learning via cases.
AI/XS conclusions are often linked to probabilities.

FAQ?
Would the auditors use of artificial
data introduced into the clients
normal live data processing (ITF
approach) be effective? efficient?
wise?

Very controversial! Many

pitfalls may exist here for the
auditor. Can you list a few?

CBIS &
Audit Risk Implications
Audit trail modifications may occur as
OLRT inputs are shotgunned once to every
location to use such input data.
Hard-copy may be replaced by DBMS.
Temporary vs. long-term retention policies
may
become fuzzy policies.
Similar concerns prompt initial assessments
of control risk at very high levels!

Suggestions
Systems & changes--well-documented &
adequately approved.
Transaction logs adequately detailed.
Passwords & encryption tightly controlled,
changed, voided. [When someone is fired,
the path to the doorway should disallow
returning by his/her desk.]

Suggestions
Input editing (e.g., debits must equal
credits, reasonableness) updated often.
Backups & History Logsdetailed, required.
The OLRT, DDP, and EDI world leads to
automatic initiations; thus, compensating
controls are vital.
Exception Reports (errors, unusual ratios)

Internal Control Weaknesses &

Exceptions to Procedures
An exception is not
automatically a cause
of an error, misstatement,
or fraud! People could be
fast, accurate, competent
and honest anyway.

AUDITOR MANAGEMENT
of DETECTION RISK
Involvement with CBIS design, audit trails
Computer specialists on their staffs
A mindset for potential computer fraud and
management fraud
Experience in tradeoffs: control risks vs.
detection risks, interim vs. FYE testing
Continuous auditing relationships

CRITICAL TERMS REVIEW

Application controls
Auditing around
Auditing through
BCSE
Batch processing
CBIS Manager
Centralized data
processing
Check digit

Completeness test
Computer editing
Conditioned
telecommunications
Continuous auditing
Data control group
Design phase auditing
Distributed data
processing

CRITICAL TERMS REVIEW

Encryption
Echo check
Expert systems
Expert systems shell
Fiber optics
Flat file system
General controls
Input controls
DBMS

KBS
Neural networks
OLRT system
Output controls
Parallel simulation
Processing controls
Systems analysts
SCARF
User controls

End of Chapter 8