Auditing Complex EDP Systems

1
SECTION 8

• Auditing Complex EDP Systems

2
Auditing Complex EDP Systems

• Computer used extensively
• simple batch processing
• complex on-line, real-time processing
• Computer affect two aspects if audit risk
• assessing control risk
• managing detection risk

3
Around vs. Through the Computer

• Around
• manually calculate INPUT and trace to OUTPUT
• Through
• test the controls in the computer

4
Impact of Computer Controls

• Change in the Audit Trail
• less documentation offset by programmed controls
• file storage reduces need for hard copy
• testing shift to examination of EDP controls

5

• Combination of Functions

• computer processing allows combining functions
  that are usually separate in manual systems
• e.g. input editing of a sales transaction
• customer number
• credit limit
• inventory number and price

6
Types of EDP Accounting Systems

• Batch Processing
• accumulated and processed in groups
• what is the main form of control?
• the main problem?

7

• Batch Processing System

8

• Real-Time Processing

• transactions are edited on-line as they occur
• continuous file updating
• more complex than batch
• how does this method affect the audit trail?

9

• Batch Processing System

10
Time Sharing and Service Bureaus

• Time sharing
• an entity processes data for itself and other
  entities
• i.e. shares its computer
• Service bureau
• process transactions for other entities
• i.e. this is their business

11
Separate Files vs. Integrated Data Base

• File System
• main characteristic?
• Data Base
• main characteristic?

12
Hardware Configurations

• Electronic Data Interchange (EDI)
• on-line format
• computer-to-computer exchange
• public standard format
• Accredited Standards Committee of the American
  National Standards Institute
• ANSI X12

13

• Two methods for EDI

1. The Direct Approach

1. The Indirect Approach

14

• Small Computer Systems

• small firms
• low cost and advanced hardware
• Distributed Data Processing
• companies with branches and divisions
• geographic dispersion

15

• A Distributed System

• Types of computers at the branches?

16
Kinds of EDP Controls

• Two main classifications
• General controls
• Application controls

17

• General Controls

• Organization and Operating Controls
• segregation of duties very important

18

1. Systems Development Documentation

• control over definition, design, development,
  testing, and documentation of systems
• once designed and developed, the system must be
  thoroughly tested
• systems and programs must be documented
• 1.
• 2.
• 3.

19

1. Access Controls

• prevents unauthorized use
• batch systems
• who controls access in this case?
• on-line systems
• primary control for access?

20

1. Data and Procedural Controls

• to control daily operations
• backup files on and off the premises
• environmental controls

21

• Application Controls

• a separate set for each application controls
• How are application controls classified?
• Input Controls
• computer edit controls
• ensure completeness and accuracy of input

22

1. Process Controls

• concerned with data manipulation once it is in
  the computer
• what type of control can used as a process
  control?
• Output Controls
• verification and distribution of output

23
Techniques for Testing EDP-Based Controls

• Best to understand as a number of steps as shown
  in the following flowchart

Test further
24

• Gaining an Understanding of EDP Controls

• Two main ways
• observation and enquiry
• studying the system and program documentation
• Observation and Enquiry
• should look for the following
• Segregation of functions
• Control of access to files and programs

25

• Approval of new systems and programs

• Existence of hardware and environmental controls
• The functioning of data and procedural controls
• Backup files

26

1. Systems and Program Documentation

• Documentation is an integral part
• Should include
• 1.
• 2.

27

• The Testing of EDP Controls

• Auditor should be able to identify those controls
  that are necessary for the effectiveness of the
  application
• by testing these controls, which component of
  audit risk may be reduced?
• Two ways to look at testing
• 1.
• 2.

28

1. Auditing Around the Computer

29

1. Auditing Through the Computer

30
Techniques for Auditing Through the Computer

• Test Data Approach
• simulated data
• of what should this data consist?
• main problems of this approach
• 1.
• 2.

31

1. Mini Company Approach

• also called the Integrated Test Facility
• a fictitious entity is created
• fictitious transactions are processed along with
  regular transactions
• any problems with this approach?

32

1. Simulation / Auditors Program Approach

• Auditor creates an application program that
  simulates the system
• uses client data as input
• potential uses of this approach
• sampling
• computations
• comparing
• summarizing

33

1. Generalized Audit Software

• most common type of audit software
• transportable from one client to another
• independent
• limited by the availability of the clients data
  files

34
Small Computer Systems

• Widespread
• Weaknesses in General Controls
• 1. Lack of segregation of duties
• 2. Location of the computer

35

1. Limited Knowledge of EDP

• Special Consideration for Application Controls
• 1. Data Entry
• 2. Data processing
• 3. Absence of Limit and Reasonableness Tests

36

• Study and Evaluation of Internal Control

• The effect of computer size on the auditor
• General controls are often weak
• More reliance on application controls
• If application controls and any manual controls
  are not reliable, what should the auditor do with
  regards to testing?