COMPUTER AUDITING

CHAPTER 5

INSPIRING GREATNESS
 LEARNING OUTCOMES
• Introduction to computer auditing
• Governance of technology
• General controls
• Application controls
• Advanced technologies
 Introduction
• As an auditor, you will be exposed to
computerised financial reporting systems at
your audit clients.
• The majority of businesses you will audit use
computers to:
o Capture
o Record and process transactions
o Produce the accounting records and other
information
 Introduction
• The extent to which businesses use computers
varies considerably
Examples
o A small company such as an independent dentist
practice may have one or two stand-alone personal
computers (PCs) with basic bookkeeping programs
that are used to manage the business.
o A large company such as a bank, big supermarkets,
etc. will have a sophisticated computer system using
micro-computers as servers and workstations. Such
companies will have data centres and a number of
highly qualified personnel.
 Introduction
• You are not expected to be an IT expert.
o A basic understanding and knowledge of
computers will help you to easily navigate
through auditing.
• Nowadays, even small businesses pay salaries
and creditors via electronic fund transfer
(EFT), so some knowledge of how this is
controlled will be important when auditing
certain areas such as payroll and acquisitions
& payments cycles.
 Introduction
• It is important to note every business has
different information needs
• Different programs do a great number of
different things and will be supported by
different policies and procedures.
• Documents (both soft and hard copies) will be
designed to meet users’ specific needs and
terminologies will vary greatly.
• When you start working as the auditor, the
detail will become second nature to you
o You need to focus on basics for study purposes
 Introduction
• A client’s computer environment (i.e. a combination of
hardware, software and personnel) will directly affect the
audit strategy and audit plan:
• The strategy adopted to audit a bank may require the use of
computer audit experts due to the complexity of their
computerised systems.
o The fact that banks process millions of transactions will require that the
audit strategy focus on tests of controls, which in turn will affect the
audit plan.

• The software used by a large company is likely to be far more

sophisticated and highly integrated
o This means that applications work together, e.g. a credit sale
automatically updates the inventory records, the debtors ledger and
general ledger, and have many other control features for input,
processing and output.
 Introduction
A client’s computer environment (i.e. a combination of
hardware, software and personnel) will directly affect the
audit strategy and audit plan:
• The strategy for the audit of a small company with one or two
bookkeepers and a number of PCs will NOT require specialist
computer skills, and will probably be focused on substantive
testing.
o The fact that banks process millions of transactions will require that
the audit strategy focus on tests of controls, which in turn will affect
the audit plan.
• A small business may use a simple software for each
application which is not linked to any other application e.g.
o A simple computerised perpetual inventory application may require
that all movements of inventory such as receipts, issuing of inventory
will be entered onto the system by capturing the information from
hard copy goods received notes (GRNs) and delivery notes.
 Introduction
A client’s computer environment (i.e. a combination of hardware,
software and personnel) will directly affect the audit strategy
and audit plan:
• The use of computer assisted audit software (CAATs) will be critical on
some audits and less important (if at all) on others.
o E.g. the efficient and effective audit of debtors for a large company with 8
000 debtors will not be possible without using audit software to interrogate
the debtors Masterfile, analyse it, extract samples from it, reperform
calculations, casts, and extensions, etc.
o In a small business with 300 debtors, this may not be necessary since it may
be more efficient to carry out manual audit procedures.

• The difference in the capabilities of the accounting software is the:

o Validity
o Accuracy, and
o Completeness of the information it produces and the way in which the
information is audited.
 Introduction
• Regardless of the size of the company and
whether its systems are hardly computerised or
extensively computerised, management is still
responsible for:
• Implementing the internal controls, and
• Maintaining the internal controls.

• From the auditor’s perspective, if the information

produced by the client’s systems (including the
accounting system) is valid, accurate and complete
• the risk of material misstatement in the financial
statements is significantly reduced.
Governance of Technology
• The board of directors should set direction for
how technology and information should be
approached by approving an IT policy.
• The IT policy forms the foundation for the
development of an IT governance framework.
• The IT governance framework should support
the effective and efficient management of IT
resources, including:
o The implementation of sound risk
management system and internal controls
 Governance of Technology
• The IT policy should be based on the company’s specific
requirements to ensure that a company achieves its strategic
objectives.
• The IT policy must integrate into the entire organisation and
must be designed to improve business processes.
• IT has become the centre of any business activity and has an
impact on both operational and strategic levels

Advantages of good IT governance practices

o The company’s reputation is improved:
o Strategically aligning IT with business goals and processes
makes business operations more efficient and creates a
competitive advantage.
 Governance of Technology
Advantages of good IT governance
• Management gains a better understanding of IT which leads to better
decision-making processes, due to the availability of timely and quality
information.
• Compliance with laws and regulations is improved.:Improved risk
management procedures. Systems will not be hacked
Lack of good IT governance increase the following risks:
• Interruption of operations e.g. machines and production lines due to
systems being offline.
• Loss of information which may compromise confidentiality of sensitive
information.
• Unauthorised access, use and changes to information.
• Systems become less available, less reliable and function
less effectively.
 Two Broad Categories
of Controls can be
implemented within
the IT environment
• General information technology (IT) controls
(previously referred as General Controls)
• Information Processing Controls (previously
referred to as Application Controls)
 General Information
Technology
referred to General
Controls
• IT general controls are those which establish an overall
framework for computer activities;
• These are controls that must be in place before any
processing of transactions; they are for the entire system.
• These are controls for the entire system
• Password log in (onto the laptop)
• Security ID (into the building)
• Backups (where are they done)
• They are implemented to address the risk arising with IT
and implemented before transactions can be
implemented
Information Processing
Controls (previously
referred to as
Application Controls)
• Application controls are controls that are relevant
to a specific task within a cycle of the accounting
system;
• They can be preventive, detective and corrective
in nature
• Learn System
• Sage Accounting
• HR System
• Who can log into the system-Roles-Tasks
 General Information
Technology
referred to General
Controls
• General controls include controls over:
o Data centre and network operations:
o Software acquisition, change and maintenance
Application system acquisition, development and
maintenance:
o Access security:
 General Controls
There are six categories of general controls, namely:
• Organisational controls and personnel practices
o These are controls around policies, procedures and
operations, as well as staff practices implemented by the
company.
o They must promote integrity, commitment to ethical value
and competence
o When implementing organisational controls, management
should follow a top-down approach.
This starts with creating an ethical culture and control
environment.
Organisational Controls & Personnel Practices
Failure to implement a proper organisational structure
expose the company to the following risks:
• Unauthorised transactions and activities being initiated by
unauthorised persons
• Collusion that could result in theft and fraud
• Multiple functions that were previously performed by separate
individuals now being performed by a single application,
resulting in unauthorised transactions being initiated and
executed because of a lack of segregation of duties
• Misstatements going undetected because there is not
sufficient supervision and review in place
• Untrustworthy or incompetent people being employed
because of poor staff practices, resulting in errors and fraud
(this can also affect staff morale).
Organisational Controls & Personnel Practices

Delegation of responsibility
• The board of directors must take responsibility for IT
and IT governance.
• It is important for the board to communicate the
corporate culture to employees through policies and
procedures.
• All employees (including management) should comply
with the company’s policies and procedures
o Action should be taken against any and all employees
who do not comply.
• Some responsibilities of IT governance can be
delegated to the Computer Steering Committee.
Organisational Controls & Personnel Practices
Delegation of responsibility
• The Computer Steering Committee will be responsible for:
o managing IT and
o acts as a communication channel between the user department and IT
department.
• The Computer Steering Committee should consist of
knowledgeable executive management
o Executive management should have business & IT background and solid
experience.
• A company should also appoint a Chief Information Officer
(CIO).
• The Chief Information Officer:
o takes responsibility for the direction of IT and
o communicates with the board and its committees such as the
Computer Steering Committee and the Audit Committee about IT
matters.
Organisational Controls & Personnel Practices
Delegation of responsibility
• The day-to-day management of IT can be delegated to an IT
Manager.
• The IT Manager will be responsible for managing the staff in the
IT department.
• The IT department’s staff is responsible for individual
operational tasks such as:
o Programming (programmers)
o Database administration (database administrators)
o Operating the help desk (help desk operators)
• The IT staff often have the IT technical knowledge, but limited
business experience.
• It is important to establish clear reporting lines and levels of
authority, through which IT staff can communicate with and
report to the board on regular basis.
Organisational Controls & Personnel Practices

Segregation of duties
• A general principle behind segregation of duties is that no
staff member should be able to perform incompatible
functions
• Initiation, authorisation, execution, recording and asset
control should be segregated.

Proper segregation of duties mitigate the following risks:

• Staff authorising fictitious or inaccurate transactions in order to
conceal theft of assets
• Staff adjusting records in order to cover up inaccurate or
falsified entries that were improperly authorised
• Staff falsifying records in order to conceal theft of assets.
Organisational Controls & Personnel Practices

Segregation of duties
• All incompatible duties should further be segregated in
the IT department and between IT and user
departments.

Proper segregation of duties between IT and user

departments involves:
• IT department being organisationally separate from user
departments
• IT department reporting directly to executive management
• IT department not being enabled to initiate or authorise
transactions, or
o Change transactions or Masterfile data
Organisational Controls & Personnel Practices
Segregation of duties
Proper segregation of duties between IT and user departments
involves:
• IT department not being enabled to gain access to:
o company resources (that are outside their scope of work),
o physical assets such as inventory,
o documentation such as invoices, receipts, etc.
o non-physical assets such as inventory, debtors and creditors Masterfile
data
• IT department not being enabled to initiate work or correct user
errors unless if they have been requested and authorised by the
user department
• Once IT personnel have assisted the staff in the user department,
the responsibility for ensuring that work carries on and the
underlying data and records is “safeguarded” still remains the
responsibility of the user department.
Organisational Controls & Personnel Practices
Segregation of duties within the IT department
Proper segregation of duties within the IT department
involves:
• All job functions being segregated. At a minimum, segregation
of duties is required between the:
o Development function,
o Operations function, and
o Security function.
• Segregation between:
o Initiation
o Authorisation
o Processing
o Executing
o Custody, and the
o Reporting functions within the IT department.
Organisational Controls & Personnel Practices

Organisational controls and personnel practices

include four sub-controls:
• Responsibility levels (also known as delegation of
responsibility)
o Corporate structure (also known as the organogram):
Audit Structure
o Reporting lines: Limits transactions from being overridden
• Segregation of duties: Between departments and
o Within the IT department
• Staff practices such as human resource policies (which
include the code of conduct)
• Supervision and review (which include performance
management and personal development)
Organisational Controls & Personnel Practices

Reporting, supervision and review

• All work that is performed by IT staff must be initiated by
staff in the user department.
• The user department ultimately remains responsible for
the information contained in the company’s records
• User department can perform various checks to ensure the
integrity of the data, which includes:
o High-level review
o Analytical reviews and ratios
o Reconciliation of data on the system with data from independent
or external sources
o Independent reviews
Organisational Controls & Personnel Practices
Personnel practices
Policies and practices should be in place around to ensure
competent IT staff hired:
The policies must address the following:
• The process of employing staff
• Acceptable professional and personal behaviour, and use of
company resources
• Leave policies relating to compulsory leave and sick leave, taking
into account the need for continuity of operations and
completion of work (and deadlines)
• Staff scheduling and rotation of duties
• Ongoing training of staff
• Continuous evaluation of staff
• Dismissal and resignation of staff.
 System Development Controls and Change
Controls

System development controls

o These controls that must be implemented when acquiring/developing of
the new computer program, as well as how changes are made to the
computer system.
• Change control
o These controls are applicable where a feature or part of a software package
is added or amended.

These controls include:

• Request and needs assessment
• Project management
• Planning and design
• Development and testing
• Implementation
• Post implementation review
 General Controls
• Business continuity controls
o These controls are implemented to protect the system against
damage from physical threats such as fire and water.
o The system must also be protected from cyber threats such as
viruses.
o Business continuity basically refers to controls that enables the
company to resume operations in the shortest possible time
after being exposed to the above mentioned threats.
• Operating controls:
o These controls are implemented to ensure the efficient and
effective day-to-day running of the hardware and software.
o These controls include maintenance of the computer system.
 Business Continuity Controls
Business continuity controls include preventative
controls and detective & corrective controls
• Preventative controls safeguard the operating
environments against physical and non-physical threats.
• Detective and corrective controls are controls that enable
the company to resume operations after a disaster, which
include:
o Backups
o Disaster recovery plan
 Operating Controls
Operating controls include:
• Scheduling and production runs/processing
• Operating activities and use of assets
• Library controls
• Logs and registers
• Business continuity controls
 General Controls
• Access controls
o These controls should be implemented around
preventing and detecting unauthorised people from
obtaining access to organisation’s data or performing
unauthorised activities.
o Access controls are controls, physical or
computerized that are implemented to prevent
authorized persons from gaining entry
o These controls should be implemented around the
company’s premises and the computer information
system. (physical access controls)
 Access Controls

Access controls also include preventative controls and

detective & corrective controls
• Preventative controls include:
o Security management and policy
o Physical access controls to control access to
 Facilities
 The system
 Data
o Logical access controls: Read-Delete-Change
o Library controls: Employee is made to be responsible for securing
and managing data. Limits rights of users
• Detective and corrective controls include:
o Logs and reviews must be conducted
 Application Controls
• Application controls cannot be viewed in isolation from general
controls since
o application controls are dependent on general controls that provide the
control environment within which they function.
• Input controls should be implemented to ensure that:
o all transactions are recorded (completeness), Mandatory fields
o transactions are recorded correctly (accurate),Calculation of VAT
o transactions are neither duplicated nor fictitious/invalid (validity).DR=CR
• Controls are also implemented to ensure that rejected inputs are:
o identified,
o investigated,
o corrected, or
o re-entered.
 Application Controls
• If the input controls objectives are not addressed, or
• The input process is not effectively managed, or
• The controls are not implemented effectively,
o it could result in the following risks:
 Unauthorised transactions being entered onto the system
 Data already in the system being added to, deleted, or amended
without authorisation
 Errors occurring during the creation of data on the source
document, or during the capturing of data onto the computer
application
 Further errors being made while correcting other errors
 Errors previously made going undetected/corrected
 Data being lost during capturing or data not being captured at all
 Application Controls
Recording of data (input)
When recording data onto a computer, controls should be
applied to the following:
• The person capturing the document or data: Access
Privilege
• The computer screen that aids the person capturing the
data (screen aids): Terms and Conditions
• Checking the validity, accuracy and completeness of data
that was captured by means of controls programmed into
the software (logical programmed controls)
• Management reviews of data that was captured in order to
identify and correct any errors timeously.
 Application Controls
Processing controls
• Processing occurs in the computer with little or no user
interaction: User may need to click a button to prompt
processing
• Logical processing controls are designed to ensure the integrity
of data during processing: System will test the information for
logic and may give an error message
• If processing is not managed effectively, or if processing controls
are not implemented effectively, the following risks may occur:
o Data getting lost, corrupted or unintentionally changed during
processing
o Existing data being duplicated
o Invalid data being added during processing
o Calculation or accounting errors occurring
o Incorrect version of the program or data file being used
 Application Controls
Processing controls
Controls have to be implemented over the following:
• Access to the programs and data stored on the system
• Assigning responsibility for processing, file management
and maintenance
• Ensuring validity of programs and files used before
processing can take place
• Calculation of control totals, and checking of control
reports generated
• Actively testing and identifying data and processing errors
while transactions are processed
• Maintenance, review and investigation of audit trails &
reports
 Application Controls
Output controls
• Output is a product of processing activities
• The objective of output controls is to ensure that output is:
o valid and prepared accurately and completely irrespective of its
nature
o in an appropriate format
o only distributed to specific authorised persons: Salary Report
• If output is not managed effectively, or if output controls
are not implemented effectively, the following risks may
occur:
o Output may be distributed to unauthorised people
o Output may be inaccurate or incomplete, which may result in
incorrect management decisions
o Output may not agree with the underlying data from the system
 Application Controls
Output controls
The following output controls must be implemented:
• Limiting access to the output
o Responsibility should be assigned for distribution of output
• Ensuring the content of output is appropriate and correct,
and is:
o Distributed to authorised people only
o Accurate and complete to promote correct management decisions
o Agreeing with the underlying data from the system
o Reviewed to ensure that it was properly distributed and correct
distribution process was followed
 Application Controls
Masterfile amendment controls
• Master files contain standing data that is frequently used by the
accounting system
• Data contained in the master files is not changed frequently
• Master files amendments are when the master files or standing
data in the master files is:
o Changed,
o Updated, or
o Added to the system, e.g.:
 A debtors Masterfile has to be updated when a client updates their
home address or contact numbers or email address
 The price Masterfile is changed when the new authorised price list is
loaded onto the computer system, price change of VAT and tax changes
• Masterfile changes tend to be high risk because the data being
changed may be used in various calculations and these changes do
not occur during the normal business operating cycles.
 Application Controls
Masterfile amendment controls
• A data error in the Masterfile could have a significant
impact on the accounting system because
o the one error will influence all transactions that rely on that
Masterfile
• Therefore, controls over authorisation of Masterfile
amendments and reviews performed after those
amendments have been processed are crucial
• Controls over Masterfile amendments also rely significantly
on input controls
 Application Controls
Masterfile amendment controls
If Masterfile amendment process is not managed effectively,
or if controls are not implemented effectively; the following
risks may occur:
• Unauthorised amendments
• Not all authorised amendments being updated on master files
• Errors in capturing amendments, which may result in financial
information that is dependent on the Masterfile being
processed incorrectly
• Errors contained in the Masterfile data being undetected
 Advanced Technologies
• The controls that were discussed on the previous slides
are also applicable to advanced technologies.
• All technologies, irrespective of their nature, are made
up of different combinations of:
o Input,
o Processing,
o Output,
o Masterfile amendments, and
o Communication controls.
 Advanced Technologies
The following process can be followed when implementing or
evaluating controls over any form of technology:
• Obtain an understanding of the technologies being considered
or used.
• Use understanding of the technologies and control objectives
to identify relevant risks
• Identify and evaluate adequacy of existing controls already in
place
• Break the technology down into its components, e.g.:
o security
o Custody-Safeguarding
o input
o processing
o output
o logs and reviews
o programmed controls
 Advanced Technologies
The following process can be followed when implementing
or evaluating controls over any form of technology:
• Map actual components of technologies against the
theoretical controls that should underlie these
components
• Evaluate the impact of the existing controls and the risks
identified on the business
• Select suitable controls to mitigate the remaining risks to
an acceptable level.
• Move from Moodle to Learn
 Advanced Technologies
Electronic commerce (e-commerce), electronic fund
transfers (EFTs) and other data communication
• Electronic commerce is the process of buying and selling
products or services over the internet or another
electronic platform
• The significant risks relate to:
o Authenticating users (in order to avoid later denial of
transactions),
o Correct and accurate capturing of data on the internet or
system,
o Communication between the internet service provider and
the company
 Advanced Technologies
Electronic commerce (e-commerce), electronic fund
transfers (EFTs) and other data communication
In order to address these significant potential risks, controls
must be implemented over the following:
• Capturing data – Input controls
• Restricting and authenticating the user :OTP
o Access controls around the application used and during
transmission of data
o Authentication controls around the identity of the user
 NB: High risk transactions such as credit card transactions
would require special authorisation and authentication controls
• Transfer of data over the internet – Communication
controls using similar controls used over the transfer of data
and encryption of the processing stage
 Advanced Technologies
Electronic commerce (e-commerce), electronic fund
transfers (EFTs) and other data communication
In order to address these significant potential risks, controls
must be implemented over the following:
• Policies and procedures – Controls over legal matters
relating to ownership and privacy
• Continuity – If a service organisation is used, ensuring that
the service organisation implements the same controls as
it would implement for its own data in terms of storage,
system development, and so on
• Logs and reviews – Extracting and reviewing available
computer logs, registers and reports, and investigating
unusual items
 Advanced Technologies
Service organisations, outsourcing and data warehousing
• Outsourcing is where a function that is normally
performed by a company such as preparation of payroll is
outsourced to another company (third party)
• Data warehousing is where a company’s data is stored on
another company’s server for a monthly fee
• The most important issues to address are:
o how information or data is going to be transferred to and from the
service organisation,
o how data is secured and protected by the service organisation,
o data ownership issues since data is stored on a third party’s
infrastructure, and
o protecting the company against potential data losses.
 Advanced Technologies
Service organisations, outsourcing and data warehousing
In order to address the issues identified, controls must be
implemented over the following:
• Restricting and authenticating the server - Access controls at
general and application controls level at the third party and
during transmission of data
• Transfer of data – Communication controls using controls
similar to those of processing controls implemented over the
transfer of data and encryption
• Protecting company against data losses – Controls to ensure
continuity of operations
• Policies and procedures – Controls over legal issues relating to
ownership and privacy
 Advanced Technologies
Service organisations, outsourcing and data warehousing
In order to address the issues identified, controls must be
implemented over the following:
• Continuity
o A service organisation should implement the same controls as an
entity would implement around its own data in terms of storage,
system development, etc.
o This can be achieved by concluding a service level agreement and
ongoing monitoring of the effectiveness of controls.
o The ongoing monitoring can be achieved by placing reliance on
the assurance report issued by the service organisation’s auditor.
• Logs and reviews – Reviewing available computer logs, registers
and reports, and investigating unusual items.