UNIVERSITY OF LAGOS

FACULTY OF MANAGEMENT SCIENCES

DEPARTMENT OF ACCOUNTING
ACC 418: ADVANCE AUDIT AND
INVESTIGATION
 AUDIT OF COMPUTER BASED
ACCOUNTING SYSTEMS
Introduction
Every business entity has an accounting system
used in the quantitative documentation of the
financial and non financial transactions for a
specific reporting period. This accounting system
differ in sizes, nature and complexities. The
difference in accounting system is dependent on
the size of the organisation as well as the volume
of transactions within the organisation.
In the era of globalization and technological
advancement, many organisations have
migrated to the computer based accounting
system, which has reduced the usage of
paper documentation for many companies
thus influencing the audit procedure to cater
for the nature of accounting system that
exists in the organisation. This therefore
necessitates the need to understand the
audit procedure for a computer based
accounting system.
 Learning objectives:
At the end of this class, students are expected to
understand the following:
- Definition of computer audit
- Origins of computer audit
- Nature of computer audit
- Computer Auditors
 Computer Audit
Auditing procedure is the same for all organisations,
however, the nature and size of the business is what
determines the audit procedure.
Computer audit may be defined as the audit of the
accounting software as well as the review of the clerical
procedures and the production of compliance based audit
work programmes thereby providing a wider systems
audit service.
It is noteworthy to state that different organisations
operating in the same sector may have different
approaches to computer audit.
 Origin of Computer Audit
The history of traditional auditing can be traced
back to centuries past, while computer audit is a
relatively recent development, which was borne
from the need to match up with the current
technological advancement and accounting
information system.
Major organisations in the United Kingdom
established computer audit in the late 1970s.
This development has however been adopted by
most corporations, including those in developing
organisations.
 Transition to System Audit
Modern day computing can be traced to 1833 when
Charles Babbage produced different calculators in
1833, with the 1st generation computers being
used after the second world war, when there was
a widespread development of valve technology.
Information technology has advanced from one level
of development to another, and currently data is
stored in the cloud, which has led to the era of
cloud computing.
Information technology has impacted the world
socially, economically and politically, thus
changing the process of doing things. In the
past, business is limited to physical
transaction, however, this has changed due to
technological advancement.
As a result of technological advancement, audit
process has also changed in line with
accounting information system, which has also
changed as a result of technological changes.
 Nature of Computer Audit
The manual audit and the IT audit will achieve
the same result, however, the level of security
and control required differs. The level of risk
exposure associated with the audit of an IT
system is higher than the audit of a manual
accounting system. This has made it important
that a higher level of security and control
measures are put in place and maintained to
minimise the risk.
 Electronic Data Proessing (EDP) Risk

There are basically two major risk associated with

and Electronic Data Processing enterprise.
These are:
1. General/Organizational risks
2. Application/Procedural risks
The general risks are those risks that can affect
any organisation and are not within the
capacity of the user to eliminate, but can be
controlled.
The general/organizational risks can be
subdivided into:
1. Administrative risks; and
2. System Development risks
Administrative risks are those risk that relate to
the usage of the computer by an
unauthorised person or for an unauthorised
person, damages to the computer system,
loss of data, overwriting of computer files,
breakdown of computers, power failure, etc.
System Development risks are those risks
related to the development of new
programs/system without the authority’s
consent, programming errors, poor
documentation of the system and programs,
unauthorised amendment to existing
programs/system.
 Application/Procedural Risks
This is the type of risk that is associated with the
users of the system/application in the process of
inputing and generating data. These will include:
- Risk of invalid input of data
- Risk of incomplete input data
- Risk of incomplete data conversion
- Risk of incomplete processing
- Risk of incomplete output
- Risk of unauthorized amendment of data in the
computer
Computer information technology in a
computerised accounting system becomes the
auditor’s tool as well as the subject of
inspection in system audit.
This therefore makes it of great importance to
put in place adequate control measures to
mitigate all the risks associated with Electronic
Data Processing (EDP).
The control measures should be in line with the
risk exposure as identified in the business
enterprise.
The following are the objectives of control in a
Computerised Accounting System:
-Ensure that the CAS activities are carried out in an
orderly and efficient manner
Ensure that the CAS facilities are properly safegaurded
Ensure that CAS policies established by management
are strictly adhered to throughout the organization
Ensure that systems and programs are properly and
correctly developed
Ensure the completeness, accuracy and validity of the
input data, data conversion, processing and the
output.
The components of the functional part of the
Computer Accounting System software are the
database management system and the
application software supporting the
accounting system automation.
Information technology has allowed processing
of large data, making the methodological basis
of audit more complete and relevant to
modern business requirements.
Audit within a Computerised Accounting

Audit Objective
The use of computer for processing accounting
information does not in any way affect the credibility
of the financial report. So also is auditing of
accounting information in a computerised accounting
system. It does not affect the scope and objective of
the audit process, it only affects the approach.
The auditor is expected to report on the true and fair
view of the audited financial report. He must state if
the proper books of account were kept within the
computerized environment.
Audit procedures
The use of computer does not affect the basic
principles of audit. Auditor must:
1. Plan the audit
2. Ascertain and record the accounting and
Internal control procedure
3. Evaluate the controls
4. Test the controls, transactions and balances
5. Review the financial statements
6. Report on the financial statements
Though the audit objectives and procedures are not
affected, the auditor will be required to effect
changes or modifications in some areas. These
include:
a. Changes in the timing of the initial audit visit. The
auditor is required to review the system when a
new audit engagement is accepted or there is an
installation of a new system or program by an old
client. This approach is acceptable because it will
be difficult for the computer to accept any other
recommendation after implementation.
Once a decision is made to computerise an
accounting system, it is a normal step for the
auditor to visit the organisation.
The auditor should discuss all the controls
required with the management in addition to
the output that the auditor needs for his audit
process.
The auditor visits the organisation immediately
the accounting system design has been
completed but before implementation.
Timing of the audit visit
In a computer accounting system, there may be
few or no documentary evidences if input and
output processing computer files are
overwritten or has been destroyed after
processing. This therefore requires that the
auditor increases the frequency of the audit
visit in order to be able to carry out both
compliance and substantive tests.
This will enable the auditor perform his tests very
close to when transactions are processed.
Nature of audit test
There will be changes in the nature of audit test, which will
involve the following:
- Review of exception report
- Usage of alternative audit test such as physical verification
and third party confirmation
- Manual recreation of input data where practicable
- Placing greater emphasis on reasonableness test over
computer total rather than on individual transaction
- Changes in the sample size of items to be tested
- The use of Computer Aided Audit Tools (CAAT) in order to
solve the problem associated with change or loss in audit trail
in a computerised accounting system in order to enhance the
effectiveness and efficiency of the audit process.
 Audit Techniques
The audit of the database management system requires
the following techniques:
- General evaluation
- Subject check of the embedded algorithms of
information processing
Audit of the client software algorithms is carried out by
means of the control data method, which is reduced to
such procedures as creation of another database of test
data with imaginary objects (employees, creditors,
material values) and the formation of reporting, which
are subjected to mandatory verification.
 Steps for audit of a computerised
accounting system
The following are the main steps of the audit
process for a computerised accounting system:
1. Conduct of the initial review (Audit planning)
2. Review and assessment of the internal controls
3. Compliance test (testing the internal controls)
4. Inspection of the application software
5. Substantive test (testing the detailed data)
6. Reporting (conclusions and findings)
 Computer Fraud
Fraud and financial misappropriation will have a
negative impact on any organisation. Fraud and
financial misappropriation can easily be carried
out in a computer based accounting system,
which makes system audit important and highly
exposed to the risk associated with the work.
However, when considering computer audit it
important to note that the basic control
objectives and principles do not change.
Errors and fraud are prevalent in the modern
accounting practice due to its focus on
automated data processing.
The following are the common instances of
computer fraud and abuse:
- Unauthorised disclosure of confidential
information
- Unavailability of key IT systems
- Unauthorised modification/destruction of
software
- Theft of IT hardware and software
- Use of IT facilities for personal business
THANK YOU