Auditing in a Computer Based Environment
Information Technology (IT) is integral to modern accounting and management information systems. It is, therefore, essential that auditors should be aware of the impact of IT on the audit of a client’s financial statements. Information Technology auditing (IT auditing) began as Electronic Data Process (EDP) auditing and developed largely as a result of the rise in technology in accounting systems. The last few years have been an exciting time in the world of IT, auditing as a result of the accounting scandals and increased regulations. Regardless of the computer systems used, the audit objectives and approach will remain largely unchanged from that if the audit was being carried out in a non-computer environment.
1. Auditing Around the Computer: It is the type of auditing done in a traditional method. The auditor summarises the input data and ignores the computer’s processing but ensures the correctness of the output data generated by the computer, this approach is generally referred to as “auditing around the computer”. This methodology was primarily focused on ensuring that source documentation was correctly processed and this was verified by checking the output documentation to the source documentation
2. Auditing Through the Computer: Due to the “real time” computer environments, there may only be a limited amount of source documentation or paperwork hence the auditor may employ an approach known as “auditing through the computer”. In this approach, the reliability and accuracy of the results are analysed through the computer. This involves the auditor to perform tests on the information technology controls to evaluate their effectiveness like Compliance test, Test Packs, Reprocessing.
3. Auditing with the Computer: The utilization of computer by the auditor for some audit work and he uses some general software for the purpose of calculating depreciation, printing letters, and duplicate checking and files comparison.
The computer is not used for all the audit work and it is done manually.
The audit process for a computerized accounting system involves the following five major steps:
1. Conducting Preliminary Survey: This is a preliminary work to plan how the audit should be conducted. The auditors gather information about the computerized accounting system that is relevant to the audit plan. This includes an understanding of how the computerized accounting functions are organized, identification of the computer software used, understanding accounting application processed by computer and identification applicable controls.
2. Reviewing and Assessing Internal Controls: There are two types of controls namely general controls and application controls.
· General Controls: General controls are those that cover the organization, management and processing within the computer environment. They should be tested prior to application controls, because if they are found to be ineffective, the auditor will not be able to rely on application controls. General controls include proper segregation of duties, file backup, use of labels, access control, etc.
· Application Controls: Application controls relate to specific tasks performed by the system. They include input controls, processing controls, and output controls. They should provide reasonable assurance that the initiating, recording, processing and reporting of data are properly performed.
3. Compliance Testing: Compliance testing is performed to determine whether the controls actually exist and function as intended. This can be performed by comparing the results to predetermined results or by processing dummy transactions.
4. Substantive Testing: This is performed to determine whether the data is real. Substantive tests are tests of transactions and balances and analytical procedures designed to substantiate the assertions. Auditors must obtain and evaluate evidence concerning management’s assertions about the financial statements. The auditor must obtain sufficient competent evidential matter to provide a basis for an opinion regarding the financial statements under audit. If sufficient competent evidence cannot be obtained then an opinion cannot be issued.
5. Audit Reporting: The audit report will contain detailed information on various aspects of their findings in the process of audit in a computerized environment.