Conducting an EDP Audit

1
Conducting an EDP Audit
2
Computer Environment

• CICA Handbook prefers the use of EDP Electronic
  Data Processing
• There is no fundamental difference between
  computer auditing and auditing. Certain areas
  are not changed
• the definition of auditing
• the purposes of auditing
• the generally accepted auditing standards
• the control objectives

• the requirement to gather sufficient and
  appropriate evidence
• the audit report

3
Computer Environment

• Elements of a Computer-based System
• Hardware - the physical equipment
• Software
• system programs perform generalized functions
  for more than one program
• application programs sets of computer
  instructions that perform data processing tasks
• Documentation a description of the system and
  control structures
• Personnel persons who manage, design, program,
  operate or control the system

4
Computer Environment

• Elements of a Computer-based System
• Data - transactions and related information
  entered, stored and processed by the system
• Control Procedures- activities designed to ensure
  proper recording of transactions and to prevent
  or detect errors or irregularities

• Management responsibilities to assist the
  auditor
• ensuring documentation of the system is
  complete
• by maintaining a system of transaction
  processing that includes audit trails
• by making computer resources and
  knowledgeable personnel available to the
  auditors to help them understand and audit the
  system

5
Effect of Computer Processing

• The method used to process accounting
  transactions will affect a companys organization
  structure and will influence the procedures and
  techniques used to accomplish the objectives of
  internal control. The following are
  characteristics that distinguish computer
  processing from manual processing
• Transaction trails may not exist
• Uniform processing of transactions eliminates
  random errors but may cause systematic errors
• Segregation of functions incompatible functions
  may not be segregated and many internal controls
  combined in the computer

6
Effect of Computer Processing

• Potential for errors and irregularities through
  inappropriate access to computer data or systems
  Also errors are harder to observe
• Potential for increased management supervision
  with a wide variety of analytical tools
• Initiation or subsequent execution of
  transactions by computer

7
EDP Audit Guideline 20 1
8
Planning

• Extent to which computers are used in accounting
  applications
• Complexity of computer operations
• Organizational structure of computer processing
  activities
• Availability of data from the computer system
• Use of computer-assisted audit techniques to
  increase the efficiency of audit procedures
• Need for audit personnel with specialized skills

Extent
Complexity
Organization Structure
Data
CAAT
Skills
9
Overview of the Steps in an EDP Audit

• The preliminary review phase
• The detail review phase
• The compliance testing phase
• Review and testing of user
• Compensating Controls
• The substantive testing phase

10
Some major audit decisions

• The evaluation judgment
• Timing of audit procedures
• Audit use of the computer
• Selecting application systems for audit

11
The Nature of Controls

• A control is a system that prevents, detects or
  corrects unlawful events
• A system Example a password vs a password
  control

• Secure issue or choice of password
• Correct validation of passwords
• Secure storage of passwords
• Follow up of illicit use of passwords

12
The Nature of Controls

• A control is a system that prevents, detects or
  corrects unlawful events
• Unlawful events
• Unauthorized, inaccurate, incomplete, redundant,
  ineffective, or inefficient input enters a
  system
• Transformation of an input in an unauthorized,
  inaccurate, incomplete, redundant, ineffective,
  or inefficient way

13
The Nature of Controls

• A control is a system that prevents, detects or
  corrects unlawful events
• Prevent Example Instructions and training
  result in correct action
• Detective Example Program detects errors which
  are placed in an error file and later
  investigated by control personnel
• Corrective Example Special codes and error
  correcting software in a communication network
  correct for noise

14
Lawful and Unlawful Events
Data and Assets
Controls
Lawful Events
Unlawful Events
15
Dealing with Complexity
Information system auditing is an exercise in
dealing with complexity.

• Subsystem Factoring
• Given the purposes of the information system
  audit, factor the system to be evaluated into
  subsystems
• Component Reliability
• Determine the reliability of each subsystem and
  the implication of each subsystem's reliability
  for the overall control in the system.

16
Overall Purpose of Controls

• To reduce expected losses for unlawful events

Auditors job is to determine if controls exist
and are working effectively
Detective and Corrective controls
Preventive control
probability of unlawful events
Expected Loss

amount of loss
X
17
Subsystem factoring

• A subsystem is a unit which performs a basic
  function needed by the overall system for it to
  be able to attain its fundamental objectives.
• Subsystems are logical rather than physical
  components.
• Different functions delineate different
  subsystems
• Subsystem independence Each subsystem can be
  evaluated separately from the effects of control
  strength and weaknesses in other subsystems.
• Internal cohesiveness of subsystems. All the
  activities performed by the subsystem should be
  directed towards accomplishing a single function

18
Dealing with Complexity

• Conducting an information system audit is an
  exercise in dealing with complexity
• Given the purposes of the information systems
  audit, factor the system to be evaluated into
  subsystems
• Determine the reliability of each subsystem and
  the implications of each subsystems level of
  reliability for the overall level of reliability
  in the system,.

19
Management subsystems

• Top management controls
• Information systems management
• Systems development management
• Programming management
• Data administration
• Security administration
• Operations management
• Quality assurance management

20
Application subsystems

• Boundary controls
• Input controls
• Communication controls
• Processing controls
• Database controls
• Output controls

21
Component Identification

• Hardware
• Software
• People
• Transmission media
• Processing

22
Component reliability

• A system achieves the goals of asset
  safeguarding, maintaining data integrity, and
  achieving system effectiveness and efficiency if
  each of its subsystems is reliable.
• A subsystem is reliable only if the components
  that perform the basic activities are reliable
• Auditors must evaluate components with respect to
  each type of error or irregularity that might
  occur.

23
Component reliability

• Reliability of a component is a function of the
  controls that act on that component
• A control is a pattern of activities or actions
  executed by one or more components to prevent
  detect or correct errors or irregularities that
  might affect the reliability of the component

24
Subdivisions of Control Review
Board of Directors
Management
Goals of Internal Control
Management Controls

• asset safeguarding
• maintaining data integrity
• achieving system effectiveness and efficiency

Accounting controlsApplication controls
Risks Threats
Systems
Subsystems
Components
Reliability of a component is a function of the
controls that act on that component
A subsystem is reliable only if the components
that perform the basic activities are reliable
25
Component reliability

• Controls improve reliability by reducing
  expected losses
• by reducing the probability of failure
• by reducing the amount of loss

26
How Controls Work
Average Loss Expected
Expected Frequency
Average Loss
Reduce Frequency
ReduceLoss
Use Controls to
Minimize AmountSubject to Loss
Reduce Frequency of Error Occurrence
Reduce Opportunityfor Error
Minimize Impactof Loss
27
Types of controls

• Authenticity controls
• Accuracy controls
• Completeness controls
• Redundancy controls
• Privacy controls
• Audit trail controls
• Existence controls
• Asset safeguarding controls
• Effectiveness controls
• Efficiency controls

28
Controls

• Each type of control normally appears in each
  subsystem
• Classes of controls are not mutually exclusive -
  a single control may fall in many categories

29
Consider attributes of the control

• in place and working
• generality vs specificity
• preventive , detective, corrective
• number of components used to execute
• number of subsystems impacted by the control

30
Evaluating system reliability

• Matrix evaluation
• Controls vs Errors / irregularities
• Subsystem vs Errors / irregularities
• Objectives of internal control vs Approach to
  reducing risk

31
Assessing Subsystem Reliability

• Identify lowest-level subsystem
• Identify all the different types of lawful and
  unlawful events that can occur
• Consider all functions of the subsystem
• Determine all lawful events and unlawful events
  within each function
• Consider strategic role of each function

32
Transactions

• Focus on transactions that can occur as input to
  the subsystem
• All events in an application system must arise
  from a transaction.
• Lawful events will arise if the transaction and
  subsequent processing are authorized, accurate,
  complete, nonredundant, effective and efficient.
• Otherwise unlawful events occur

33
Walk Through Techniques

• How is the system likely to process the
  transaction?
• Identify the particular components that process
  the transaction
• Understand each processing step and likely
  unlawful events
• May be costly to trace each transaction type so
  consider classes of transactions ones which
  have similar processing steps
• Are controls working to cover unlawful events?

34
Controls vs. Errors
H High Reliability
M Medium Reliability
L Low Reliability
Errors/Irregularities
Unauthorized Customer
Incorrect Quantity
Incorrect Price
Controls
OE operator trained
M
M
M
Input screen layout
M
M
Input Program
H
L
M
SM override report
How effective is each control in reducing losses
from each type of unlawful event?
35
Evaluation Moves Up Through Levels

• Lower level subsystems are components of higher
  level systems.
• At each level the evaluation steps are the same
• As we move to higher levels we may encounter new
  controls
• Controls at lower levels can malfunction
• More cost effective to implement at higher level
• Some events are not manifest as unlawful except
  in higher level systems (two or more separately
  legal events may be illegal as a group)

36
Controls vs. Errors
H High Reliability
M Medium Reliability
L Low Reliability
Errors/Irregularities
Unauthorized Customer
Incorrect Quantity
Incorrect Price
Incorrect Quantity
Subsystems
Boundary
H
M
M
Input
H
H
H
Communications
M
L
L
Processing
Database
L
L
L
Output
37
Causes of loss

• erroneous record keeping
• unacceptable accounting
• business interruption
• erroneous management decisions
• fraud and embezzlement
• statutory sanctions
• excessive costs or reduced revenues
• loss or destruction of records
• competitive disadvantage

38
Audit Risks

• Asset safeguarding, data integrity, system
  effectiveness and system efficiency
• Test nature of auditing
• Risk of not detecting actual or potential
  material losses or account misstatements is audit
  risk.
• DARIR X CR X DR (AICPA)
• DAR is desired audit risk,
• IR is inherent risk likelihood that a material
  loss or account misstatement exists in some audit
  segment before the reliability of controls is
  considered,
• CR is control risk likelihood of control
  failure
• DR is detection risk likelihood of audit
  procedures will fail to detect.

39
Phase 1 Computer System Understanding

• The organizational structure
• description of computer resources and computer
  operating activities
• description of the organizational structure of
  computer operations and related policies
• Methods used to communicate responsibility and
  authority
• Auditors should obtain evidence and evaluate
  information about the existence of (a) accounting
  and other policy manuals and (b) formal job
  descriptions for computer department personnel

40
Phase 1 Computer System Understanding

• Methods used by management to supervise the
  system
• Auditors should learn the procedures management
  uses to monitor the computer operations,
  including the existence of
• a) systems design and documentation
• b) procedures for system and program modification
• c) procedures limiting access to authorized
  information
• d) financial and other reports
• e) internal audit function
• Understanding the accounting system
• auditors should gain an understanding of the flow
  of transactions through the accounting system for
  each significant accounting application

41
Computer Control Guideline Objective
AOrganizational Relationships
Senior Management
IS Development Plans
IS Policies
Monitor
Assign Responsibilities
Information Use
Information
Information Processing
CompletenessAccuracyAuthorizationSecurity
IS Capabilities
Provide
Provide
IS Management
User management
42
B To ensure that the information systems selected
meet the needs of the entity
Objectives / Policiesof the Entity
Acquire or DevelopInformation Systems
Costs, Savings and Benefits
User Requirements
Tested Prior to Implementation
43
C To ensure the efficient and effective
implementation of information systems
IS ImplementationStandards
Senior Management
IS Management
AssignResponsibility
Implementation of IS
Implementation Procedures
Implementation Plan
Approve
Conversion of Information
Participate
Control
Initial Operation of IS
Final Approval
Internal AuditorsExternal AuditorsControl Group
User Management
IS
44
D To ensure the efficient and effective
maintenance of Information Systems
Senior Management
IS Management
Planned IS Changes
Authorize
Schedule
Documentation
Changes to IS
Allow and Control
Tested
Emergency Changes
Control
Unauthorized Changes
Internal AuditorsExternal AuditorsControl Group
User Management
IS
45
Phase 2 Assessing the Control Risk

• To assess the control risk when a computer is
  used, it is necessary to
• 1) Identify specific control objectives based on
  the types of transactions that may be present
• 2) Identify the points in the flow of
  transactions where specific types of
  misstatement could occur
• 3) Identify specific control activities designed
  to achieve control objectives

46
Phase 2 Assessing the Control Risk

• To assess the control risk when a compute is
  used, it is necessary to
• 4) Identify the interdependent control activities
  which must function for an identified specific
  control procedure to be effective
• 5) Evaluate the control activities to determine
  whether it suggests control risk and whether
  tests of controls might be cost effective

47
Overview of Steps in an EDP Audit

• The preliminary review phase
• Withdraw from audit
• Perform detailed review
• Dont relay on Internal control
• substantive cost effective
• compensating controls
• Internal vs. external auditor
• less preliminary review
• cause of loss/attest vs. efficiency and
  effectiveness
• IA weak system - test anyway - recommend
  improvements

48
Overview of Steps in an EDP Audit

• Detailed review phase
• in-depth understanding of controls
• decision - How to continue? Rely?
• management and application controls
• cause of loss vs controls to reduce loss
• expected losses acceptable
• internal vs external auditor
• acceptable vs optimal
• not rely vs recommend improve

49
Overview of Steps in an EDP Audit

• Compliance testing phase
• controls exist?
• operate effectively?
• CAAT
• evaluate overall IC system
• Review and testing of user (compensating)
  controls
• use instead of reliance on controls within
  computer system
• cost effective?

50
Overview of Steps in an EDP Audit

• The Substantive Testing Phase
• Material losses due to IC weaknesses
• Material misstatement of accounts?
• Five types (Davis)
• Tests to identify erroneous processing
• Tests to assess the quality of data
• Tests to identify inconsistent data
• Tests to compare data with physical count
• Confirmation of data with external sources
• May require CAAT

51
Some major audit decisions

• The evaluation judgment - Matrix
• Columns Cause of loss
• Rows Controls exercised over the causes to
  reduce expected losses
• Three types of evaluation
• Columnar evaluation - Do the controls taken
  together reduce the expected loss from the cause
  to an acceptable level?
• Row evaluation Do the benefits of having the
  control exceed the cost? Marginal Cost/Benefit of
  control for each cause of loss acted on by the
  control?
• Global evaluation Is this the optimal set of
  controls?

52
Some major audit decisions

• Timing of audit procedures
• Audit use of the computer
• auditing around the computer
• auditing through the computer
• Selecting application systems for audit
• User audits as a selection basis
• Application system characteristics as a basis for
  selection

53
Simple Computer Systems Characteristics and
Control Considerations

• Characteristics of a simple computer system
• General control procedures
• Organization and physical access
• Documentation and systems development
• Hardware
• Data file and program control and security

54
Simple Computer Systems Characteristics and
Control Considerations

• Application control procedures
• input
• processing
• output
• Control risk assessment in simple computer
  systems

55
Selection guidelines

• Financial system frequently the target of
  frauds and embezzlement
• Strategic systems provide organization with
  competitive advantage and may be the target of
  industrial espionage or retaliatory actions by a
  competitor - High potential for competitive
  damage
• Critical operational systems High-risk systems
  that could cripple an organization if they fail
  ie Customer reservation systems
• Technologically advanced system more complex
  and high inherent risk
• High cost system

56
Types of Audit procedures

• External auditors - Have material losses or
  material misstatements occurred?
• Procedures to obtain an understanding of controls
• Tests of controls
• Substantive tests of details of transactions
• Substantive tests of details of account balances
• Analytical review procedures

57
Types of audit procedures

• Internal Auditors Have the organizations
  operations been set up to achieve efficiency and
  effectiveness?
• Procedures to obtain an understanding of controls
• Tests of controls
• Substantive tests of details of transactions
• Substantive tests of overall results
• Analytical review procedures

58
Micro-minicomputer Environment (Small Business)

• Major Characteristics
• Utility programs, diskettes, terminals, software
  packages, documentation, tape backup.
• Micro-minicomputer Control Considerations
• Organizational Control Procedures
• Operation Control Procedures
• Processing Control Procedures
• Systems Development and Modification

59
(No Transcript)
60
Evaluation Approaches for Computer Systems

• Auditing around the computer,
• Auditing through the computer, and
• Auditing with the computer.

61
Tests of Computer Controls in Simple Batch Systems

• Two Approaches
• Test Data
• Parallel Simulation

Reports Journals
62
Generalized Audit Software

• Auditing with the computer
• Audit procedures performed by generalized audit
  software
• Using generalized audit software
• Define the audit objective
• Feasibility and planning
• Application design
• Coding and testing
• Processing and evaluation
• Limitations

63
Planning EDP Guideline
64
CAAT Computer Assisted Audit Techniques
65
Using the Microcomputer as an Audit Tool

• Sample selection, Analysis
• Work papers
• Confirmations
• Spreadsheet Worksheet Calculations
• Reference Materials
• Flowcharting
• Access to Client Database and Systems