Check digit verification
This process uses algorithms to ensure that data input is accurate. For
example, internally generated valid supplier numerical reference codes, should 3
SPECIFIC ASPECTS OF AUDITING IN A COMPUTER-BASED
ENVIRONMENT
JANUARY 2011
be formatted in such a way that any purchase invoices input with an incorrect
code will be automatically rejected.
Processing controls
Processing controls exist to ensure that all data input is processed correctly
and that data files are appropriately updated accurately in a timely manner.
The processing controls for a specified application program should be
designed and then tested prior to ‘live’ running with real data. These may
typically include the use of run-to-run controls, which ensure the integrity of
cumulative totals contained in the accounting records is maintained from one
data processing run to the next. For example, the balance carried forward on
the bank account in a company’s general (nominal) ledger. Other processing
controls should include the subsequent processing of data rejected at the point
of input, for example:
? A computer produced print-out of rejected items.
? Formal written instructions notifying data processing personnel of the
procedures to follow with regard to rejected items.
? Appropriate investigation/follow up with regard to rejected items.
? Evidence that rejected errors have been corrected and re-input.
Output controls
Output controls exist to ensure that all data is processed and that output is
distributed only to prescribed authorised users. While the degree of output
controls will vary from one organisation to another (dependent on the
confidentiality of the information and size of the organisation), common
controls comprise:
? Use of batch control totals, as described above (see ‘input controls’).
? Appropriate review and follow up of exception report information to
ensure that there are no permanently outstanding exception items.
? Careful scheduling of the processing of data to help facilitate the
distribution of information to end users on a timely basis.
? Formal written instructions notifying data processing personnel of
prescribed distribution procedures.
? Ongoing monitoring by a responsible official, of the distribution of output,
to ensure it is distributed in accordance with authorised policy.
Master file controls
The purpose of master file controls is to ensure the ongoing integrity of the
standing data contained in the master files. It is vitally important that stringent
‘security’ controls should be exercised over all master files.
These include:
? appropriate use of passwords, to restrict access to master file data
? the establishment of adequate procedures over the amendment of data,
comprising appropriate segregation of duties, and authority to amend
being restricted to appropriate responsible individuals
? regular checking of master file data to authorised data, by an
independent responsible official
4
SPECIFIC ASPECTS OF AUDITING IN A COMPUTER-BASED
ENVIRONMENT
JANUARY 2011
? processing controls over the updating of master files, including the use of
record counts and control totals.
COMPUTER ASSISTED AUDIT TECHNIQUES (CAATs)
The nature of computer-based accounting systems is such that auditors may
use the audit client company’s computer, or their own, as an audit tool, to
assist them in their audit procedures. The extent to which an auditor may
choose between using CAATs and manual techniques on a specific audit
engagement depends on the following factors:
? the practicality of carrying out manual testing
? the cost effectiveness of using CAATs
? the availability of audit time
? the availability of the audit client’s computer facility
? the level of audit experience and expertise in using a specified CAAT
? the level of CAATs carried out by the audit client’s internal audit function
and the extent to which the external auditor can rely on this work
There are three classifications of CAATs – namely:
? Audit software
? Test data
? Other techniques
Dealing with each of the above in turn:
Audit software
Audit software is a generic term used to describe computer programs designed
to carry out tests of control and/or substantive procedures. Such programs
may be classified as:
Packaged programs
These consist of pre-prepared generalised programs used by auditors and are
not ‘client specific’. They may be used to carry out numerous audit tasks, for
example, to select a sample, either statistically or judgementally, during
arithmetic calculations and checking for gaps in the processing of sequences.
Purpose written programs
These programs are usually ‘client specific’ and may be used to carry out tests
of control or substantive procedures. Audit software may be bought or
developed, but in any event the audit firm’s audit plan should ensure that
provision is made to ensure that specified programs are appropriate for a
client’s system and the needs of the audit. Typically, they may be used to
re-perform computerised control procedures (for example, cost of sales
calculations) or perhaps to carry out an aged analysis of trade receivable
(debtor) balances.
Enquiry programs
These programs are integral to the client’s accounting system; however they
may be adapted for audit purposes. For example, where a system provides for
the routine reporting on a ‘monthly’ basis of employee starters and leavers
