Computers have become the primary means used to process financial accounting information and have resulted in a situation in which auditors must be able to use and understand current information technology (IT) to audit a client’s financial statements. Accordingly, knowledge of computer terminology, computer systems, and related audit procedures is essential to any auditors in this era. The overall need of individuals and organizations for credible information, combined with changes currently taking place in information technology, is also leading to rapid changes in the role of the public accounting profession. CPA firms are already embracing a broader concept of the attest function that is being referred to as the assurance function, which includes providing assurance on a broad variety of types of financial or non-financial information.
Through this post, I am going to overview the use of technology and techniques to perform audits. Techniques used by auditors in assessing control risk on a financial data and report based on computer program. If you just landed on this page with expectation that it is a discussion about information technology (IT) Auditing, it is not. But, if you are looking for information about technology used by auditor in financial auditing, then yes, stay, keep reading…
Computer processing (historically referred to as electronic data processing or EDP) does not necessitate modification of the “basic diagram of audit“ shown below:
However, the auditor’s consideration of internal control includes an assessment of computerized as well as manual controls. Also, audit procedures may include computerized and manual procedures for considering internal control and for performing substantive tests.
The various professional pronouncements addressing computer processing include:
- AU 319 (SAS 55 and SAS 78) and an AICPA Audit Guide, both titled Consideration of Internal Control in a Financial Statement Audit.
- AICPA Auditing Procedures Studies: Consideration of Internal Control in a Computer Environment: A Case Study; Auditing with Computers; Auditing in Common Computer Environments; Audit Implications of EDI.
Auditor’s Consideration of Internal Control When a Computer Is Present
The auditor’s responsibilities with respect to internal control over computer systems remain the same as with manual systems, that is, to obtain an understanding adequate: (1) to aid in planning the remainder of the audit and (2) to assess control risk. Yet the auditor’s consideration of internal control may be affected in that computer systems:
- Result in transaction trails that exist for a short period of time or only in computer-readable form.
- Include program errors that cause uniform mishandling of transactions—clerical errors become much less frequent.
- Include computer controls that need to be tested in addition to the segregation of functions.
- Involve increased difficulty in detecting unauthorized access.
- Allow increased management supervisory potential resulting from more timely reports.
- Include less documentation of initiation and execution of transactions.
- Include computer controls that affect the effectiveness of related manual control activities that use computer output.
As is the case for all controls, the auditor needs to test operating effectiveness only when control risk is to be assessed below the maximum. General application controls may be tested through inquiry, observation, and inspection techniques. In addition, application controls may be tested using re-performance techniques outlined in the following section. Because general controls affect all computer applications, the auditor’s initial focus should be on them since the effectiveness of specific application controls depends upon the effectiveness of the general controls.
Computerized Audit Tools (CAAT) for Tests of Controls
Tests of controls divided into the following categories of techniques: (a) program analysis, (b) program testing, (c) continuous testing, and (d) review of operating systems and other systems software.
I am going to describe these techniques further on the next paragraphs. Read on…
Techniques For Program Analysis
These techniques allow the auditor to gain an understanding of the client’s program. Because these techniques ordinarily are relatively time-consuming and require a high level of computer expertise, they are infrequently used in financial statement audits. Here are techniques commonly incorporated by auditor to analyze computer—programmed—based—financial reports:
. Code review — This technique involves actual analysis of the logic of the program’s processing routines. The primary advantage is that the auditor obtains a detailed understanding of the program. Difficulties with the approach include the fact that it is extremely time-consuming, it requires a very high level of computer expertise, and difficulties involved with making certain that the program being verified is in fact the program in use throughout the accounting period.
. Comparison programs — These programs allow the auditor to compare computerized files. For example, they can be used in a program analysis to determine that the auditor has the same version of the program that the client is using.
. Flowcharting software — Flowcharting software is used to produce a flowchart of a program’s logic and may be used both in mainframe and microcomputer environments. A difficulty involved is that the flowcharts of large programs become extremely involved.
. Program tracing and mapping — Program tracing is a technique in which each instruction executed is listed along with control information affecting that instruction. Program mapping identifies sections of code that can be “entered” and thus are executable. These techniques allow an auditor to recognize logic sequences or dormant section of code that may be a potential source of abuse. The techniques are infrequently used because they are extremely time consuming.
. Snapshot — This technique in essence “takes a picture” of the status of program execution, intermediate results, or transaction data at specified processing points in the program processing. This technique helps an auditor to analyze the processing logic of specific programs.
Techniques For Program Testing
Program testing involves the use of auditor-controlled actual or simulated data. The approach provides direct evidence about the operation of programs and programmed controls. Historically, knowledge of these techniques has been tested relatively frequently.
. Test data — A set of dummy transactions is developed by the auditor and processed by the client’s computer programs to determine whether the controls which the auditor intends to test (not necessarily all controls) to restrict control risk are operating effectively. Some of these dummy transactions may include errors to test effectiveness of programmed controls and to determine how transactions are handled (e.g., time tickets with invalid job numbers). When using test data, each control generally need only be tested once. Several possible problems include:
- Making certain the test data is not included in the client’s accounting records.
- Determining that the program tested is actually used by the client to process data.
- Adequately developing test data for every possible control.
- Developing adequate data to test key controls may be extremely time-consuming.
. Integrated test facility (ITF) — This method introduces dummy transactions into a system in the midst of live transactions and is usually built into the system during the original design. One way to accomplish this is to incorporate a simulated or subsidiary into the accounting system with the sole purpose of running test data through it. The test data approach is similar and therefore its limitations are also similar, although the test data approach does not run simultaneously through the live system. The running of dummy transactions in the midst of live transactions makes the task of keeping the two transaction types separate more difficult.
. Parallel simulation — Parallel simulation processes actual client data through an auditor’s generalized audit software program and frequently, although not necessarily, the auditor’s computer (generalized audit software is discussed in Section G. of this module). After processing the data the auditor compares the output obtained with output obtained from the client. The method verifies processing of actual transactions (as opposed to test data and ITF that use dummy transactions) and allows the auditor to verify actual client results. This method allows an auditor to simply test portions of the system to reduce the overall time and concentrate on key controls. The limitations of this method include:
- The time it takes to build an exact duplicate of the client’s system
- Incompatibility between auditor and client software
- Tracing differences between the two sets of outputs to differences in the programs may be difficult
- The time involved in processing large quantities of data
 Controlled reprocessing — Controlled reprocessing, a variation of parallel simulation, processes actual client data through a copy of the client’s application program. As with parallel simulation, this method uses actual transactions and the auditor compares the output obtained with output obtained from the client. Limitations of this method include:
- Determining that the copy of the program is identical to that currently being used by the client.
- Keeping current with changes in the program
- The time involved in reprocessing large quantities of data
Techniques For Continuous (Or Concurrent) Testing
Advanced computer systems, particularly those utilizing EDI, sometimes do not retain permanent audit trails, thus requiring capture of audit data as transactions are processed. Such systems may require audit procedures that are able to identify and capture audit data as transactions occur. Here are tools commonly used by auditors:
. Embedded audit modules and audit hooks — Embedded audit modules are programmed routines incorporated into an application program that are designed to perform an audit function such as a calculation, or logging activity. Because embedded audit modules require that the auditor be involved in system design of the application to be monitored, this approach is often not practical. An audit hook is an exit point in an application program that allows an auditor to subsequently add an audit module (or particular instructions) by activating the hook to transfer control to an audit module.
. Systems control audit review files (SCARF) — A SCARF is a log, usually created by an embedded audit module, used to collect information for subsequent review and analysis. The auditor determines the appropriate criteria for review and the SCARF selects that type of transaction, dollar limit, or other characteristic.
. Extended records — This technique attaches additional data that would not otherwise be saved to regular historic records and thereby helps to provide a more complicated audit trail.The extended record information may subsequently be analyzed.
. Transaction tagging — Tagging is a technique in which an identifier providing a transaction with a special designation is added to the transaction record. The tag is often used to allow logging of transactions or snapshot of activities.
Techniques For Review Of Operating Systems And Other Systems Software
Systems software may perform controls for computer systems. Related audit techniques range from user-written programs to the use of purchasing operating systems [OS] monitoring software.
. Job accounting data/operating systems logs — These logs, created by either the operating system itself or additional software packages that track particular functions, include reports of the resources used by the computer system. Because these logs provide a record of the activity of the computer system, the auditor may be able to use them to review the work processed, to determine whether unauthorized applications were processed, and to determine that authorized applications were processed properly.
. Library management software — This software logs changes in programs, program modules, job control language, and other processing activities. Auditors may review these logs.
. Access control and security software — This software supplements the physical and control measures relating to the computer and is particularly helpful in online environments or in systems with data communications because of difficulties of physically securing computers. Access control and security software restricts access to computers to authorized personnel through techniques such as only allowing certain users with “read-only” access or through use of encryption. An auditor may perform tests of the effectiveness of the use of such software.
Information Technology [IT] and Financial Auditing
Information technology (IT) provides potential benefits of effectiveness and efficiency in financial auditing because it enables an entity to:
- Consistently apply predefined business rules and perform complex calculations on large volumes of transactions.
- Enhance timeliness, availability, and accuracy of information
- Facilitate the additional analysis of information
- Enhance the ability to monitor the performance of the entity’s activities and its policies and procedures.
- Reduce risk that controls will be circumvented
- Enhance ability to achieve effectives segregation of duties by implementing security controls in applications, databases, and operating systems.
IT poses specific risks to internal control, including:
- Systems or programs may inaccurately process information
- Unauthorized access to data may lead to destruction of data or inappropriate changes to data
- Unauthorized changes to data in master files
- Unauthorized changes to systems or programs
- Failure to make necessary changes to systems or programs
- Inappropriate manual intervention
- Potential loss of data
Use of an IT specialist. In determining whether specialized IT skills are needed to design and perform the audit, the auditor considers factors such as:
- Complexity of entity’s systems and IT controls
- Significance of changes made to existing systems, or implementation of new systems
- Extent to which data is shared among systems
- Extent of entity’s participation in electronic commerce
- Entity’s use of emerging technologies
- Significance of audit evidence available only in electronic form
Procedures an auditor may assign to a professional possessing IT skills:
- Inquiring of entity’s IT personnel on how data and transaction are initiated, recorded, processed, and reported, and how IT controls are designed
- Inspecting systems documentation
- Observing operation of IT controls
- Planning and performing of tests of IT controls
Documenting the understanding of internal control:
- For an information system with a large volume of transactions that are electronically initiated, recorded, processed, or reported, may include flowcharts, questionnaires, or decision tables.
- For an information system with limited or no use of IT, or for which few transactions are processed (e.g., long-term debt) a memorandum may be sufficient.
- When an auditor is performing only substantive tests to restrict detection risk to an acceptable level, the auditor should obtain evidence about the accuracy and completeness of the information.
Effects of IT on assessment of control risk:
In determining whether to assess control risk at the maximum level or at a lower level, the auditor should consider:
- Nature of the assertion
- Volume of transactions
- Nature and complexity of systems, including use of IT
- Nature of available evidential matter, including evidence in electronic form
In designing tests of automated controls:
- The inherent consistency of IT processing may allow the auditor to reduce the extent of testing (e.g., use a smaller sample)
- Computer-assisted audit techniques may be needed for automated controls
Effects of IT on restriction of detection risk:
- An auditor may assess control risk at the maximum and perform substantive tests to restrict detection risk when he or she believes that the substantive tests by themselves would be more efficient than performing tests of controls; for example: Client has only a limited number of transaction related to fixed assets and long-term debt and the auditor can readily obtain corroborating evidence in the form of documents and confirmations.
- When evidence is entirely or almost entirely electronic, the auditor in some circumstances may need to perform tests of controls. This is because it may be impossible to design effective substantive tests that by themselves provide sufficient evidence in circumstances such as when the client (1) Uses IT to initiate order using predetermined decisions rules and to pay related payables based on system-generating information, and no other documentation is produced; (2) Provides electronic service to customers (e.g., Internet service provider or telephone company) and uses IT to log service provided, initiate bills, process billing, and automatically record amounts in accounting records.
Computerized Audit Tools
A variety of computerized audit tools (which may also be viewed as computer assisted audit techniques) are available for administering, planning, performing, and reporting of an audit.
I am presenting a summary of major types on the next paragraphs. Read on…
Generalized Audit Software (GAS)
The auditor may use various types of software on PCs (or other computers) and may include customized programs, utility software, and generalized audit software for performing tests of controls and substantive tests. Customized programs are written specifically for a client. Commercially produced utility software is used for sorting, merging, and other file maintenance tasks.
Generalized audit soft-ware also performs such file maintenance tasks but generally requires a more limited understanding of the client’s hardware and software features. The following is a list of functions performed by GAS (it is based on the AICPA Auditing Procedure Study Auditing with Computers):
- Record extraction — Extract (copy) records that meet certain criteria, such as: (1) Accounts receivable balances over the credit limit; (2) Inventory items with negative quantities or unreasonably large quantities; (3) Uncosted inventory items; (4) Transactions with related parties
- Sorting (e.g., ascending or descending order)
- Summarization, such as: (1) By customer account number; (2) Inventory turnover statistics; (3) Duplicate sales invoices.
- Field statistics, such as; (1) Net value; (2) Total of all debt (credit values); (3) Number of records; (4) Average value; (5) Maximum (minimum) value; (6) Standard deviation.
- File comparison, such as; (1) Compare payroll details with personnel records; (2) Compare current and prior period inventory files.
- Gap detection/duplicate detection — Find missing or duplicate records.
- Exportation — Select an application that has been performed using GAS and export to another file format (for additional analysis)
Electronic spreadsheets, often included in generalized audit software, may be used for applications such as analytical procedures and performing mathematical procedures. Also, auditors often use microcomputer electronic spreadsheets to prepare working trial balances, lead, and other schedules. Such spreadsheets may significantly simplify the computational aspects of tasks such as incorporating adjustments and reclassifications on a worksheet and are relatively easy to use, inexpensive, and can be saved and easily modified in the future. Disadvantages include the need for auditor training, and the fact that original spreadsheet development takes a significant amount of time.
Automated Workpaper Software
Automated workpaper software, generally microcomputer based, is increasingly being used by auditors. Originally used to generate trial balances, lead schedules, and other workpapers, advances in computer technology (e.g., improvements in scanning) make possible an electronic workpaper environment. Ordinarily, this type of software is easy to use and inexpensive. The primary disadvantage is the time required to enter the data for the first year being audited.
Database Management Systems
We have discussed database management systems in Section C. of this module. Database management software may be used to perform analytical procedures, mathematical calculations, generation of confirmation requests, and to prepare customized automated workpapers. An auditor may, for example, download relevant client files into his or her database and analyze the data as desired. Advantages of this approach include a great opportunity for the auditor to rearrange, edit, analyze, and evaluate a data file in a manner well beyond that possible to be performed manually and the ability to download client data without time-consuming data entry. Disadvantages include auditor training (more than with spreadsheets) and the need for adequate client documentation of applications.
Text Retrieval Software
Text retrieval software (also referred to as text database software) enables access to such databases as the AICPA Professional Standards and various FASB and SEC pronouncements. This software allows an auditor to research technical issues quickly and requires minimal training. Disadvantages include the fact that some training is required and that some professional literature is not currently available in software form.
Public databases may be used to obtain accounting information related to particular companies and industries as well as other publicly available information on, for example, electronic bulletin boards, that an auditor may use. Current developments for companies and their industries may be obtained from the Internet. The Internet provides online access to newspaper and journal articles. In addition, many companies and industry associations have World Wide Web home pages that describe current developments and statistics.
Word Processing Software
Auditors use word processing software in a variety of communication-related manners including the consideration of internal control, developing audit programs, and reporting.