Computerized Accounting System as an Aid to Efficient Management of an Organization - DOC by dph91477


More Info
									Chapter 8: Computerized Systems: Risks, Controls, and Opportunities                      1

Chapter 8

Computerized Systems: Risks, Controls, and

       a. Most computer systems are highly integrated and networked. The computing
          environment includes hardware, software, telecommunications, massive
          amounts of data, and people who manage the computing environment and
          support end users. The systems are integrated across functional lines. For
          example, entering the completion of a production process into the system may
          update accounting records such as inventory and payroll; it may also update
          the production management system. The auditor needs to understand this
          environment and the security features designed to ensure that only authorized
          users access the system for approved purposes. Companies become
          dependent on the security and integrity of computerized systems. If the
          systems fail, it is quite possible that the company itself may fail. If a company
          does not have a comprehensive Enterprise Risk Management System that
          incorporates computer risks, the company has vulnerabilities that must be
          explicitly addressed I each audit.

       b. Identifying Types of Computer Software and Associated Risks
              i. All computer systems are dependent on four types of software an
                  auditor must understand to evaluate controls.
                     1. Operating Systems
                            a. A computer’s operating system controls all aspects of a
                                computer’s internal operations. The operating system
                                consists of a series of programs, usually written in
                                machine code or assembly language that acts as an
                                intermediary between the user, the processor, and the
                                applications software. It is important that access to the
                                operating system be severely restricted.
                     2. Networking and Communications
                            a. Communications software controls the system’s
                                communications with parties both within and outside
                                the organization. The software is designed to ensure
                                the completeness of the message communication and
                                may include encryption procedures to assure the
                                identity of the sender and receiver.
                     3. Application Program
                            a. Accounting application programs are written to
                                accomplish specific data processing tasks such as
                                processing sales and accounts receivable, updating
Chapter 8: Computerized Systems: Risks, Controls, and Opportunities                    2

                                 inventory, computing payroll, or developing special
                                 management reports. Application programs develop the
                                 user interface and process the data that updates general
                                 ledger account balances and the numbers flowing into
                                 financial statements. Application programs have been
                                 traditionally viewed as input-process-output systems,
                                 even though many of these computing applications are
                                 becoming significantly more integrated. An example of
                                 a typical accounting application is the payroll system
                                 shown in Transparency 8-1.
                      4. Access Control (including security over computer programs)
                             a. Access control software limits access to programs or
                                 data files to those authorized for such access.
                                 Comprehensive access control software identifies users,
                                 data, and rules to access data or programs. Some access
                                 control software controls the access to all items within
                                 the computing environment; other access control
                                 software is built into individual applications or
              ii. Interconnected Systems – The Virtual Private Network
                      1. The virtual private network (VPN) embraces all
                         communications: fiber-optic to wireless; e-business (business
                         to business); E-Commerce (business to consumer); auctions
                         (consumer to consumer); intranets (within business); personal
                         digit assistant, such as Palm Pilot to Internet; and application
                         and database processing. It is a virtual ―anytime, anywhere‖
                         network environment; see Transparency 8-2. There are a
                         number of important items to note in this transparency:
                             a. VPN indicates a virtual private network. The ―new
                                 economy‖ is demanding anytime, anywhere service,
                                 and the computing and telecommunications industries
                                 are responding with wireless communication.
                             b. Firewalls are located between the Internet and the
                                 company’s private data processing resources.
                             c. Organizations have both a Web server and a back-
                                 office computing structure.
                             d. Data is transmitted over the VPN in data packets that
                                 may or may not be secured.
                             e. Each unit connected to the Internet must have a unique
                                 ISP (Internet service provider).
                             f. There must be a uniform transmission protocol if
                                 information is going to be transmitted over the Internet
                                 and then received and interpreted correctly.
                             g. An organization has limited, or no, control over the area
                                 noted in Transparency 8-2 as the VPN tunnel, the vast
Chapter 8: Computerized Systems: Risks, Controls, and Opportunities                      3

                                  virtual private network that is represented by the
                      2. The environment shown in Transparency 8-2 creates some
                         additional risks that both the internal and external auditor needs
                         to assess:
                             a. Unauthorized penetration into the organization’s
                                  system with subsequent destruction or copying of
                                  important information or computer applications.
                             b. Loss of messages in transmission through the VPN or
                             c. Interception and either destruction, modification, or
                                  copying of information transmitted over the network.
                                  This includes the possibility of using intercepted
                                  information for unauthorized purposes.
                             d. Mass attacks on the client’s systems, often referred to
                                  as denial-of-service attacks, which are designed to
                                  overload a company’s system and then shut them down.
                                  Such attacks have the potential of putting an E-
                                  Commerce retailer out of business.
                             e. Loss of processing due to losing electrical power, or
                                  destruction by flooding, hurricanes, or fire.
                      3. The new VPN presents great opportunities, but also great risks
                         to the organization. Major companies such as those in the
                         automobile industry are building Internet applications to
                         streamline the purchasing process of major components in an
                         effort to increase efficiency and lower costs. It will be a way of
                         doing business. The auditor will have to extend the risk
                         analysis and control analysis into this new network.


       a. In a simpler world, the auditor could determine which accounting applications
          were important to the financial statement audit and then determine the risks
          and controls applicable to those systems. Unfortunately, such a simple
          approach is limited to only the smallest of clients. On larger, more complex
          audits, the client’s computing systems may present major business risks that
          also need to be evaluated. Business risks include the exposure to the
          organization caused by allowing customers to log on to the client’s system to
          place orders, or the potential corruption of data (consciously or inadvertently)
          by allowing users to download and manipulate data and then upload back into
          the database. The profession has developed a model to help auditors evaluate
          complex computing systems by describing the pervasive data processing
          controls as general controls and the controls related to a particular program
          as application controls.

       b. Risk Analysis at the General Control Level
Chapter 8: Computerized Systems: Risks, Controls, and Opportunities                       4

               i. There are a number of risks at the general control level that the auditor
                  might address. Some relate to the efficiency and effectiveness of
                  operations, while others are more specific to the audit of a company’s
                  financial statements. Transparency 8-4 lists some risks that should be
                  considered. Some risks that the auditor should consider when
                  evaluating general controls and risk are:
                      1. Unauthorized users may run applications, or data may be
                          accessed without authorization.
                      2. The company may develop the wrong programs, or may
                          develop the programs inefficiently, thereby jeopardizing the
                          company’s ability to compete.
                      3. The company’s networking controls may not safeguard the
                          system from intruders or safeguard electronic transmissions
                      4. Unauthorized personnel may steal or modify company
                          programs or data
                      5. The computer system may not be secured against unauthorized
                          physical intrusion or attacks or protected from natural disasters

       c. General Controls
             i. General controls are pervasive control procedures that affect all
                computerized applications (Transparency 8-3). The auditor usually
                starts with the general controls in evaluating the control weaknesses.
                The rationale for starting at the more general level is that good controls
                built into a particular application are unlikely to be strong enough to
                offset weaknesses that affect all aspects of processing.

  A client must have a risk management plan for information technology and a plan
on how it is going to control those risks. The auditor should start by reviewing those

              ii. Planning and Controlling the Data Processing Function
                     1. The auditor should focus on the seven fundamental control
                         concepts shown in Transparency 8-5 in evaluating the
                         organization of data processing.
             iii. Segregation of Duties within Data Processing
                     1. Organizations need to protect themselves from unauthorized
                         and undetected access to programs and/or data. Two important
                         concepts to help implement proper segregation are that (1) data
                         processing personnel should not have access to programs or
                         data except when authorized to make changes, and those
                         changes follow authorized procedures; and (2) users should
                         review and test all significant computer program changes.

       d. Program Development and Program Changes
              i. Organizations run the risks that computer programs are not efficient,
                 are not effective, or do not contain proper controls. Thus, every
Chapter 8: Computerized Systems: Risks, Controls, and Opportunities                    5

                  organization should have a process to determine that the right
                  applications are developed or purchased, are built and installed within
                  budget, and accomplish the objectives for which they were designed or
                  purchased. Internal auditors and management should regularly review
                  the process used by the organization to ensure that the computing
                  strategy is consistent with the organizational strategy. The computing
                  strategy must follow the organizational strategy. Every organization
                  should also have control standards specifying control concepts that
                  should be considered in every application.
              ii. Program Changes
                      1. In evaluating the structure of control over program changes, the
                          auditor should determine that control procedures are sufficient
                          to ensure that:
                              a. Only authorized changes are made to computer
                              b. All authorized changes are made to computer
                              c. All changes are adequately tested, reviewed, and
                                  documented before being implemented.
                              d. Only the authorized version of the computer program is

       e. Controlling Access to Equipment, Data, and Programs
              i. Restricting access to assets to authorized users for authorized purposes
                 is a fundamental internal control concept. The same concepts that led
                 to the development of a well-controlled manual environment should be
                 implemented in a computerized environment to limit access to assets.
                 Access controls in computerized systems should provide the same kind
                 of deterrence as the manual controls. However, it can be argued that
                 implementation of access controls in a computerized system is even
                 more important because access is not likely to be observed by others.
                 First, information is highly concentrated in computer systems.
                 Second, a perpetrator who gains unauthorized access to a computer
                 system gains access and potential control of assets important to the
                 organization. With computerized systems, the perpetrator gains access
                 to physical assets such as cash or inventory because those programs
                 control access to actual physical assets. The auditor should determine
                 the extent to which the client has instituted a data access program
                 based on the principles listed in Transparency 8-8. These principles
                 require a comprehensive access control program that identifies all data
                 items, users, user functions, and the authorized functions that users
                 may perform on each data item.
             ii. Authentication
                      1. Well-designed computer security systems are able to determine
                          that the individual requesting the access privilege is who s/he
                          claims to be. Users can be identified by (1) something they
Chapter 8: Computerized Systems: Risks, Controls, and Opportunities                      6

                         know (password), (2) something they possess (ID card with
                         magnetic stripe), or (3) something about themselves

             iii. Business Continuity
                     1. Every computerized organization needs a security and back-up
                         plan to protect both physical assets and magnetic media. A
                         security plan should be developed to minimize the
                         organization's risk to both man-made and natural disasters.
                         Minimum elements in a backup and recovery plan include:
                             a. Standardized procedures for backup and disaster
                             b. Plans for reconstruction
                             c. Periodic review and testing

       f. Data Transmission Controls
              i. Communications controls ensure the completeness and correctness of
                 data transmitted between a computer application and another remote
                 device. Common control procedures include: encryption, callback,
                 echo check, bit reconciliation, feedback, and private lines.

       g. Application Controls
              i. Application control procedures are specific control procedures
                 (manual and computerized) designed into the processing of
                 transactions to ensure that processing objectives are attained. The
                 control procedures are often referred to as input, processing, and
                 output control procedures.
             ii. Batch Controls
                     1. Batch controls are designed to ensure that all items that were
                         submitted for processing were actually processed.
                         Transactions are viewed as belonging to a batch – either a
                         physical batch of transactions, or a logical batch, such as all
                         transactions received at one port during a specific period of
                         time. Three types of batch controls are typically calculated:
                             a. record count
                             b. financial total and
                             c. hash total.
                     2. After the items are entered for processing, the computer
                         calculates similar totals for the batch. By reconciling the batch
                         totals for items entered with the same batch totals calculated by
                         the system, users gain assurance that all transactions are
                         processed and no fictitious or duplicate transactions were
                         entered into the system.
            iii. Input Controls
                     1. These procedures are designed to ensure that the organization
                         fully captures and properly records all the transactions between
Chapter 8: Computerized Systems: Risks, Controls, and Opportunities                      7

                        itself and another entity. An overview of an electronic audit
                        trail is shown in Transparency 8-7. If there are significant
                        deficiencies in controls designed to ensure that all transactions
                        are captured, the auditor may be forced to conclude that an
                        entity cannot be audited. Examples of input controls include:
                             a. Computerized input validation procedures
                             b. Batch control procedures
                             c. Self-checking digits
                             d. Use of stored data reference items to eliminate input of
                                  frequently required data
                             e. On-screen input verification techniques
                     2. Input validation tests are often referred to as edit tests because
                        they are control tests built into the application to examine input
                        data for obvious errors. Edit tests are designed to review
                        transactions much like experienced personnel do in manual
                        systems in which an employee would know, for example, that
                        no one worked more than 55 hours in the past week.
                        Transparency 8-8 lists types of edit tests found in most
                        computer applications.

  Each organization must be able to answer customer or supplier questions on a
regular basis. Thus, an audit trail is really a management efficiency tool.

                     3. On-Line Processing Controls
                           a. Most computer applications now process transactions
                               "on-line and real-time" which often offer significant
                               cost and operational advantages over batch processing.
                     4. Processing Controls
                           a. Processing controls are designed to ensure that the
                               correct program is used for processing, all transactions
                               are processed, and the correct master file and
                               transaction files are updated.
                     5. Output Controls
                           a. Output controls are designed to ensure that all data was
                               completely processed and that output is distributed only
                               to authorized recipients.

       h. Overview of Computer Controls Risk Assessment
             i. The approach for assessing control risk in a computerized environment
                 is conceptually the same as in a manual environment. There is one
                 major difference--the existence of heavily computerized, mostly paper-
                 less accounting applications may make it such that the auditor has no
                 choice but to thoroughly understand the control risk associated with
                 the processing. Because of the level of expertise needed to effectively
Chapter 8: Computerized Systems: Risks, Controls, and Opportunities                      8

                  do this, many public accounting firms have developed computer audit
                  specialists to deal with the most complex situations.
              ii. Gaining an Understanding of the Control Structure
                      1. An understanding of the control structure is normally gained
                          through inquiry and observation. The auditor also examines
                          client documentation to understand the nature of processing
                          and the file layout for use in developing computer assisted
                          audit techniques. Transparency 8-9 describes the process of
                          assessing control risk in a computerized environment.
             iii. Testing Effectiveness of Controls
                      1. The auditor must decide on the most efficient approach to test
                          the integration of general and application controls. Some firms
                          might test general controls as a whole while others may test
                          general control procedures only as they affect important
                          applications. The choice made by the firm will affect the
                          approach taken to the testing of the control procedures.

  The text provides a detailed illustration of testing the operation of access control

             iv. Documentary Evidence of Controls
                    1. When control procedures generate documentary evidence, that
                       evidence will serve as a basis for developing specific audit
                       procedures to test their effectiveness.
              v. Monitoring Controls
                    1. The auditor should determine whether the company develops
                       exception reports, and whether there is active investigation of
                       the cause of problems. The following controls should be
                       prevalent in most computer systems:
                           a. Computer logs and reports of attempts at illegal
                              penetration into the systems and actions take to
                              diagnose the source and prevent the penetration.
                           b. Reports of approved program changes, status of
                              changes, and sign-off by users indicating they have
                              tested the changes.
                           c. Internal audit reports of program changes, including
                              procedures to identify whether unauthorized changes to
                              programs had taken place.
                           d. Reports of unusual activities—Examples might include
                              unusual numbers of transactions, unusual sources of
                              transactions, or vendor sales from vendors that have not
                              been approved as a certified supplier.
                           e. Internal audit reports on the effectiveness of access
                              controls—internal auditors should analyze that access
                              principles have been implemented consistently with
                              authorization principles.
Chapter 8: Computerized Systems: Risks, Controls, and Opportunities                         9

                             f. Reports on production discrepancies—For companies
                                that utilize just-in-time inventory, any production
                                delays that are caused because of problems with vendor
                                suppliers should be documented and investigated.

       a. Electronic commerce involves communication through the Internet. An
          Internet service provider may be an intermediary with a potential worldwide
          scope of connections. E-Commerce can be used to link trading partners.
          Companies involved in electronic commerce need the controls listed in
          Transparency 8-10.
       b. EDI: A Popular Type of E-Commerce
               i. EDI is an exchange of business documents between economic trading
                  partners, computer to computer (Transparency 8-11). EDI has the
                  potential to fundamentally alter the nature of internal controls within
                  an organization and the manner in which the audit is conducted. EDI
                  represents a total different way of doing business. Full
                  implementation of EDI will permit an order to be placed, goods to be
                  shipped, electronic invoicing, and payment, all without the generation
                  of paper documents. There are a number of components that are
                  necessary to a successful EDI system that the auditor should review
                  (Transparency 8-12).

   Go over the key controls in an EDI system (Transparency 8-13).


       a. Many of the concepts that were applicable to manual systems remain true with
          computerized systems. The auditor will want to:
              i. gain assurance that the processes and computer programs are working
             ii. trace transactions through the processing system to determine that
                 transactions have been fully and correctly processed, and
            iii. select transactions from detailed ledgers for more detailed testing and

       b. Integrated Test Facility: Testing Correctness of Processing
                     1. The test data approach involves developing and submitting
                         fictitious transactions to be processed by computer
                         applications. Test data are developed to determine whether:
                              a. Control procedures that are built into the application
                                  are functioning as documented and can be considered
                              b. The computer application is processing transactions
Chapter 8: Computerized Systems: Risks, Controls, and Opportunities                     10

                             c. All transaction and master files are fully and correctly
                     2. The test data approach covers only the controls that are built
                         into the computer application.
              ii. Example: Using Test Data to Test Controls
                     1. The test data approach is useful for applications that process
                         high volumes of transactions and in which computerized edit
                         controls are considered important. Transparency 8-14
                         illustrates the use of test data in a payroll application.
             iii. Operation of an ITF
                     1. An integrated test facility is an audit approach whereby the
                         auditor develops a ―dummy company‖ against which test
                         transactions are submitted for processing concurrently with
                         normal processing of other transactions by the application. The
                         testing is transparent; that is, data processing does not know
                         when the computer application is being tested. An ITF also has
                         the ability to detect misstatements that might have been caused
                         by changes made to the program during the year. If the auditor
                         tests the application shortly after the change, the error in logic
                         will likely be discovered because the computer-generated
                         output will differ from the auditor’s expectations. An overview
                         of an Integrated Test Facility is shown in Transparency 8-15.
                         The auditor develops a ―dummy company‖ and submits
                         processing that is processed with normal data to determine the
                         completeness and correctness of processing. ITFs are
                         particularly well suited to environments in which computer
                         applications process data for numerous departments or
                         divisions at the same time.

       c. Tracing Transactions Through the System: The Tagging and Testing
              i. The tagging and tracing approach (Transparency 8-16) creates a
                 "snapshot" of a pre-selected (by the auditor) transaction as it is
                 processed through key points in the computer application. This allows
                 the auditor to determine if the transaction is fully and correctly
                 recorded. An important advantage of the tagging and tracing approach
                 is that the audit work takes place concurrently with the client's
                 processing of regular transactions. The ability to randomly choose
                 transactions at a point early in the processing cycle provides evidence
                 on the accuracy, completeness, and timeliness of processing in
                 complex computer networks.

       d. Selecting Recorded Data for Testing: Generalized Audit Software
              i. Much of the work performed by an auditor involves gathering
                  evidence on the correctness of an account balance through the
                  examination of details making up the balance (Transparency 8-17 lists
Chapter 8: Computerized Systems: Risks, Controls, and Opportunities                      11

                  selected audit procedures to test the accounts receivable balance).
                  Fortunately, the auditor can use computer audit tools (such as ACL) to
                  increase the efficiency of many audit procedures. Software programs
                  are available to aid in performing direct tests of account balances
                  maintained on computer files.
              ii. Generalized Audit Software
                      1. GAS is a set of computer programs designed to perform
                          common audit tasks on a variety of data files. Software
                          packages such as ACL have become so powerful and versatile
                          that most firms no longer need mainframe or specialized audit
             iii. Tasks Performed by GAS
                      1. GAS can be used to read existing computer files and perform
                          such functions as footing a file; selecting a sample; extracting,
                          sorting and summarizing data; obtaining file statistics; finding
                          how many transactions or population items meet specified
                          criteria; checking for gaps and duplicates; doing arithmetical
                          calculations; and preparing custom reports. GAS is the most
                          widely used of all computerized audit techniques. ACL—
                          included with the text—is user friendly, fast, and specifically
                          designed for audit work. The audit software is valuable not
                          only when performing year-end audits but also when searching
                          for fraud (such as searching for duplicate payments made to
                          vendors). The software is relatively easy to use and follows the
                          graphical interface expected in a Windows environment.
                      2. Analyze a File
                              a. Before performing detailed testing, the auditor often
                                   wants to gain an understanding of the composition of
                                   items making up a population. In many cases, the
                                   auditor wants to know some combination such as the
                                   number of items past due profiled by dollar amount.
                                   GAS is user oriented and can be used to develop
                                   profiles of the data for audit analysis.
                      3. Select Transactions Based on Logical Identifiers
                              a. Most GAS allows the auditor to select transactions
                                   based on the Boolean operators of the logical ―IF‖,
                                   ―GREATER THAN‖, ―LESS THAN‖, ―EQUAL TO‖,
                                   ―OR‖, and ―AND‖.
                      4. Select Statistical Samples
                              a. Virtually all audits involve statistical sampling routines.
                                   ACL can be used to select monetary unit samples,
                                   stratified random samples, simple random samples, and
                                   systematic samples.
                      5. Evaluate Samples
                              a. ACL saves the selected sample to facilitate statistical
                                   evaluation. The auditor needs only to input the
Chapter 8: Computerized Systems: Risks, Controls, and Opportunities                     12

                               exceptions for statistical evaluation and projection. The
                               audited data can be statistically evaluated at the risk
                               levels and tolerable error limits pre-specified by the
                     6. Print Confirmations
                            a. ACL is used to select account balances for independent
                               confirmation by outsiders, such as customers. ACL can
                               interface with a word processing program to print
                               confirmation requests that can be attached to monthly
                               statements and sent to selected customers.
                     7. Analyze Overall File Validity
                            a. Most computer applications contain edit controls to
                               detect and prevent transactions from being recorded in
                               error. Although the auditor can test the correct
                               functioning of these controls by other means, audit
                               software can assist in evaluating the effectiveness of the
                               controls by reading the computer file and comparing
                               individual items with control parameters to determine
                               whether edit controls were overridden.
                     8. Generate Control Totals
                            a. The auditor needs assurance that the correct client file
                               is being used. ACL automatically generates control
                               totals such as a record count, the number of debit and
                               credit balances, the largest and smallest balances, and a
                               total of the balance to verify the integrity of the
                     9. Numerical Analysis
                            a. One of the more interesting features in audit software is
                               the ability to perform numerical analysis. A
                               mathematician named Benford studied the nature of
                               numerical patterns and observed that the patterns of
                               numbers across many different applications are about
                               the same. ACL is often used to examine account files,
                               e.g. invoice numbers and dates to identify unusual
                               patterns in the data that may be indicative of fraud.
                     10. Implementing GAS
                            a. Transparency 8-18 lists the steps that would be
                               performed by an auditor using GAS


       a. The auditor starts with the unique risks associated with such systems, the
          nature of processing, and an identification of the controls that should be
          tested, and then develops an approach to gather evidence that the system is
          working effectively and year-end data is correct.
       b. Risk Analysis
Chapter 8: Computerized Systems: Risks, Controls, and Opportunities                 13

              i. Most of the risks associated with e-commerce systems are no different
                 than those associated with traditional information systems.
                 Transparency 8-19 lists some potentially unique risks associated with
                 e-commerce systems. Each client may have other unique risks
                 peculiar to that client.
Chapter 8: Computerized Systems: Risks, Controls, and Opportunities   14

TRANSPARENCY 8-1. Exhibit 8.1 Payroll Application Program
Chapter 8: Computerized Systems: Risks, Controls, and Opportunities   15

TRANSPARENCY 8-2. Exhibit 8.2 The Internet Virtual Network
Chapter 8: Computerized Systems: Risks, Controls, and Opportunities   16


                       General Computer Controls

General computer controls address:

 Planning and controlling the data
  processing function.

 Controlling applications development and
  changes to programs and/or data files and

 Controlling access to equipment, data, and

 Maintaining hardware to ensure that
  failures do not affect data or programs.

 Controlling electronic communications.
Chapter 8: Computerized Systems: Risks, Controls, and Opportunities   17


                  Risks at the General Control Level

 Applications may be run by unauthorized users, or
  data may be accessed without authorization.
 The company may develop the wrong programs, or
  may develop the programs inefficiently, thereby
  jeopardizing the company’s ability to compete.
 The telecommunications system may not safeguard
  the system from intruders or safeguard electronic
 The computer system may process the wrong data
  or update the wrong files.
 Unauthorized personnel may steal or modify
  company programs or data.
 The physical computer system may not be secured
  against unauthorized physical intrusion or attacks,
  or protected from natural disasters.
 Users may inadvertently cause errors in programs
  or data.
Chapter 8: Computerized Systems: Risks, Controls, and Opportunities   18

                               TRANSPARENCY 8-5

        Fundamental Data Processing Control Concepts

 The authorization for all transactions should
  originate outside the data processing department.
 The users, not data processing, are responsible for
  authorization, review, and testing of all application
  developments and changes in computer programs.
 Access to data is provided only to authorized
 The data processing department is responsible for
  all custodial functions associated with data, data
  files, software, and related documentation.
 Users, jointly with data processing, are responsible
  for the adequacy of application controls built into
  computer applications or database systems.
 Management should periodically evaluate the
  information system function for operational
  efficiency, operating integrity, security, and
  consistency with organizational objectives for
  information technology.
 The internal audit function should be
  adequately trained in computer auditing and
  should periodically audit applications and
Chapter 8: Computerized Systems: Risks, Controls, and Opportunities   19


                 Control Principles for Data Access

 Access to any data item is limited to those
  with a need to know.

 The ability to change, modify, or delete a
  data item is restricted to those with the
  authorization to make such changes.

 The access control system has the ability
  to identify and verify any potential users
  as authorized or unauthorized for the data
  item and function requested.

 An active security department should
  actively monitor attempts to compromise
  the system and prepare periodic reports to
  those responsible for the integrity of data
  items on access to the data items.
Chapter 8: Computerized Systems: Risks, Controls, and Opportunities           20

TRANSPARENCY 8-7. Exhibit 8.4 Electronic Audit Trail—Elements of a Computer
Chapter 8: Computerized Systems: Risks, Controls, and Opportunities   21


Types Of Edit Tests Found In Most Computer Applications.

    Alphanumeric field
    Reasonableness of data (within pre-
     specified ranges or in relationship to
     other data)
    Limits (data must be within specified
    Validity (data must take on valid values)
    Missing data
    Sequence (items are in sequence and are
     not duplicated)
    Invalid combinations of items
    Other relations expected to exist in the
Chapter 8: Computerized Systems: Risks, Controls, and Opportunities   22


  Assessing Control Risk in a Computerized Environment

    Identify important accounting applications and
     the extent of computerization within those
    Develop an understanding of the general controls
     within data processing, such as program change
     controls and access controls, to determine how
     those controls may affect the integrity of
     important applications.
    Develop an understanding of the flow of
     transactions in the important accounting
     applications and identify and document control
     procedures that address important processing
    Develop a preliminary assessment of the control
     risk for the application including the types of
     errors that may be likely to occur and how those
     errors might occur.
    If preliminary control risk is assessed at other
     than the maximum, test the controls in operation.
    Develop an updated assessment of control risk
     based on a complete understanding of the design
     of the application and the testing of the
     effectiveness of general and application controls
     in operation.
Chapter 8: Computerized Systems: Risks, Controls, and Opportunities   23


            Controls Needed In Electronic Commerce

    Firewalls to intercept unwanted traffic or traffic designed to
     destroy the website.

    Encryption to ensure that transactions received and sent are
     authorized to the individual or company authorized.

    Monitoring reports to ensure that there are no unusual
     penetration attacks or unusual volumes or types of business.

    Electronic transmission protocols that identify partially lost
     or missing transaction data—Messages received should be
     reconciled with messages sent by the trading partner.

    Denial-of-service software to identify attacks and to stop the
     flow of messages from the source of the attack.

    Integrated systems, such as ERP systems that work with the
     E-Commerce environment to enhance the efficiency of
     processing and production.

    Website security to ensure that unauthorized or outside
     parties do not modify postings on the website.

    Systems security and backup—The big change in Web-based
     systems is that they need to be available 24 hours a day, 7
     days per week. Well-designed computer systems will have
     built-in redundancy to ensure operations if one part of the
     system breaks down. The system should be able to shift
     network traffic to another server if one of the servers fails.
Chapter 8: Computerized Systems: Risks, Controls, and Opportunities   24

TRANSPARENCY 8-11. Exhibit 8.9 Electronic Data Interchange
Chapter 8: Computerized Systems: Risks, Controls, and Opportunities   25


             Components of a Successful EDI System
                  that the Auditor Should Review

 Trading partner agreement.
 Bar coding.
 Formal contract with the VAN.
 Formal communication system.
 Formal process for communication.
 Need for an automated control structure.
 Need to identify authorized electronic
Chapter 8: Computerized Systems: Risks, Controls, and Opportunities   26


                    Key Controls in an EDI System

 Control over authorized signatures.
 Access controls.
 Segregation of Duties.
 Syntactic edit checks.
 Traditional edit checks.
 Formal protocol for communication
 Logging of transactions (audit trail).
 Batch totals.
 Exception reports.
Chapter 8: Computerized Systems: Risks, Controls, and Opportunities        27

TRANSPARENCY 8-14. Exhibit 8.10 Using Test Data in a Payroll Application
Chapter 8: Computerized Systems: Risks, Controls, and Opportunities       28

TRANSPARENCY 8-15. Exhibit 8.11 Overview of an Integrated Test Facility
Chapter 8: Computerized Systems: Risks, Controls, and Opportunities        29

TRANSPARENCY 8-16. Exhibit 8.12 Overview of Tagging and Tracing Approach
Chapter 8: Computerized Systems: Risks, Controls, and Opportunities               30

TRANSPARENCY 8-17. Exhibit 8.13 Selected Audit Procedures Performed on Detailed
Accounts Receivable Records
Chapter 8: Computerized Systems: Risks, Controls, and Opportunities   31


            Implementing Generalized Audit Software

Once arrangements have been made with the client to
facilitate audit software use, the auditor performs the
following steps:

1.     Identify the client's files to be read by audit software
       or to be downloaded to a microcomputer to be read by
       the audit software. Develop a description of the file

       •      Type and location of the file

       •     File description, including specification of each
       field (e.g., length of records and individual data fields,
       and type of field such as alpha field or numeric field)

2.     Determine the computer configuration and operating
       system on which the file is contained.

3.     Determine whether to run the software on the client's
       computer system or to download the data to a personal

4.     Extract the data from the client’s computer system.

5.     Run the software.
Chapter 8: Computerized Systems: Risks, Controls, and Opportunities   32


                Potentially Unique Risks Associated With
                           E-Commerce Systems

 Security of system and protection against
  malicious intrusion or penetration by

 Integrity and completeness of processing

 Integrity of data communications

 Trading partner agreements

 System interdependencies

 Paperless systems coupled with ―soft

To top