With the introduction of computers, conventional accounting systems and methods using papers, pens and abacuses have undergone drastic changes, therefore exerting a great impact on internal control and audit trails in following audit procedures. Also, the introduction of computer has brought an immense increase in the availability of electronic resources. My topic is entitled auditing in a Computerized Information System (CIS). One purpose why this topic is included in auditing is due to the rampant changes that are happening in our society.
We could say that every day, everything around us is going through the” process of evolution”. Example, the government structure, educational structure, social structure, technological structure, economic structure and others are going into extensive and widespread changes. Work nowadays involve the usage of computer, hence, the need for computerized information system in auditing erupted. Around the world, computer plays an important role in the development of one’s country. That is why, here in the Philippines, we are trying to muddle through by with the drastic and radical changes in order to be globally competitive.
In fact, technology experts stated that when it comes to new enhancement and improvement of technology, the Philippines is not far behind, but rather one of the fastest country to acclimatize and adopt in this unbelievable wave of changes. With the rapid progress in technology in recent years, computer information systems have become feasible and practicable, perhaps essential, for use even in small scale business operations. Almost all entities now use computers to some extent in their accounting systems.
The widespread use of computers has offered new opportunities for professional accountants and had also created some challenging and exigent problems to auditors. Additionally, in auditing, the need for computer is now more important and significant because of the increasing and growing demand of auditing. Without computer, then auditing would not be able to deal with this growing demand. Ever imagine, conducting an audit without the usage of computer, isn’t it that it will be very difficult for the auditor because we all know, we human beings are immersed and innate with errors. Incorporating CIS in auditing is tough.
This is because; there are technical and methodological matters that an auditor doesn’t have any idea with, for instance, the software, such as operating program, utility program, etc. Auditors do not have any idea of these things, that’s why auditor tries to broaden their knowledge in order to be competitive. The result of that leads to the flourishing of auditing. Time and time again, auditing will continue to evolve. Having said all that, this topic contains a lot of different things which cannot be found in normal manual auditing. The overall objective and scope of an audit does not change in a CIS environment.
However, the use of a computer changes the processing, storage and communication of financial information and may affect the accounting and internal control systems employed by the entity. Accordingly, a CIS environment may affect: a. ) the procedures followed by the auditors in obtaining a sufficient understanding of the accounting and internal control systems; b. ) the consideration of inherent risk and control risk through which the auditors arrive at the risk assessment; and c. ) the auditors’ design and performance of tests of control and substantive procedures appropriate to meet the audit objective.
Anyways, regardless of the extent of computerization or the methods of data processing being used, the establishment and implementation of appropriate internal control systems rests with the management and those charged with governance. The auditor’s responsibility is to obtain an understanding of the entity’s internal control system to be able to assess control risk and determine the nature, timing and extent of tests to be performed. Before tackling the important details of my topic, let us first define what is meant by Auditing and Computerized Information System (CIS). So, what is auditing?
PSA 200 defines auditing by stating the objective of a financial statement audit, that is, to enable the auditor to express an opinion whether the financial statements are prepared, in all material respects, in accordance with the applicable financial reporting framework. A more comprehensive definition of auditing is given by the American Accounting Association: “auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between these assertions and established criteria and communicating the results to interested users. On the other hand, computerized information system pertains to the usage of computer to develop and collate the information derived in an audit for the need of the auditor and third parties related.
Another definition of Computerized Information System (CIS) includes, is often a track within the computer science field studying computers and algorithmic processes, including their principles and doctrine, their software & hardware designs, their applications, and their impact on the general public. (http://www. quora. om/Information-Systems) I would just like to give a brief history of Auditing in a CIS Environment. It began as Electronic Data Process (EDP) Auditing and developed largely as a result of the rise in technology in accounting systems, the need for IT control, and the impact of computers on the ability to perform attestation services. The last few years have been an exciting time in the world of CIS auditing as a result of the accounting scandals and increased regulation. CIS auditing has had a relatively short yet rich history when compared to auditing as a whole and remains an ever changing field.
The introduction of computer technology into accounting systems changed the way data was stored, retrieved and controlled. It is believed that the first use of a computerized accounting system was at General Electric in 1954. During the time period of 1954 to the mid-1960s, the auditing profession was still auditing around the computer. At this time only mainframe computers were used and few people had the skills and abilities to program computers. This began to change in the mid-1960s with the introduction of new, smaller and less expensive machines.
This increased the use of computers in businesses and with it came the need for auditors to become familiar with EDP concepts in business. Along with the increase in computer use, came the rise of different types of accounting systems. The industry soon realized that they needed to develop their own software and the first of the generalized audit software (GAS) was developed. In 1968, the American Institute of Certified Public Accountants (AICPA) had the Big Eight (now the Big Four) accounting firms participate in the development of EDP auditing.
The result of this was the release of Auditing & EDP. The book included how to document EDP audits and examples of how to process internal control reviews. Around this time EDP auditors formed the Electronic Data Processing Auditors Association (EDPAA). The goal of the association was to produce guidelines, procedures and standards for EDP audits. In 1977, the first edition of Control Objectives was published. This publication is now known as Control Objectives for Information and related Technology (CobiT). CobiT is the set of generally accepted IT control objectives for IT auditors.
In 1994, EDPAA changed its name to Information Systems Audit and Control Association (ISACA). The period from the late 1960s through today has seen rapid changes in technology from the microcomputer and networking to the internet and with these changes came some major events that change IT auditing forever. The formation and rise in popularity of the Internet and E-commerce have had significant influences on the growth of IT audit. The Internet influences the lives of most of the world and is a place of increased business, entertainment and crime.
IT auditing helps organizations and individuals on the Internet find security while helping commerce and communications to flourish. (www. trustsoft. com/pp_ha_1. php) In terms of needed skills and competence of the auditor; he/she should have sufficient knowledge of the CIS to plan, direct, supervise and review the work performed. The auditor should consider whether specialized CIS skills are needed in an audit. These may be needed to a. ) obtain sufficient understanding of the accounting and internal control systems of the CIS environment, b. determine the effect of CIS environment on the assessment of related risks, c. ) design and perform appropriate tests of control and substantive procedures.
In planning the portions of the audit which may be affected due to client’s CIS environment, the auditor should acquire an understanding of the implication and complexity of the CIS activities and the availability of data for use in the audit. Such matter that needed understanding are the following; a. ) the significance and intricacy of computer processing in each significant accounting application, b. the organizational structure of the client and the extent of concentration or distribution of computer processing throughout the entity, c. ) the availability of data (e. g. source document, computer files). Computerized information systems have essential and vital characteristics that distinguish them from manual processing system.
These are the following: a. ) lack of visible transaction trails, b. ) consistency of performance, c. ) concentration of duties, d. ) ease of access to data and computer programs, e. ) vulnerability of data and program storage media, f. Systems generated transactions and g. ) Potential for increased management supervision. As regards to lack of visible transaction trails, in manual system, it is normally possible to follow a transaction through the system; by examining source documents, entity’s records, and financial reports. In a CIS environment, data can be entered directly and unswervingly into the computer system devoid of supporting documents. Furthermore, records and files may not be printed and cannot be read without using the computer.
The absence of these visible documents supporting the processing of transactions makes the examination of evidence more difficult. In relation to the consistency of performance, CIS performs functions exactly as programmed. If the computer is programmed to perform a specific data processing task, it will never get tired of performing the assigned task in exactly the same manner. Because of this capability of the computer to process transactions uniformly, clerical errors that are normally associated with manual processing are eliminated.
On the other hand, an incorrect program could be very devastating because it will result to consistently erroneous data processing. Third, concentration of duties, in here proper segregation of duties is an essential characteristic of a sound internal control system. However, because of the ability of the computer to process data efficiently, there are functions that are normally segregated in manual processing that are combined in a CIS environment. As a particular example, in manual processing the function of recording cash disbursements is incompatible with the responsibility for reconciling cash disbursement.
Since one of these functions serves as a check upon the other, assigning both functions to one employee would enable and permit that employee to commit and conceal errors and irregularities. A properly programmed computer, on the other hand, has no tendency or motivation to commit irregularities or conceal its errors. Hence what appears to be an incompatible combination of functions may be combined in a CIS environment without weakening and dwindling the internal control provided suitable and appropriate compensating controls are put in place.
Fourth, ease of access to data and computer programs, in a CIS environment, data and computer programs may be accessed and altered by unauthorized persons leaving no visible and detectible evidence. It is important, therefore, that proper and appropriate controls are incorporated in the system to limit the access to data files and programs only to authorized personnel. Fifth, vulnerability of data and program storage media, in a manual system the records are written in ink and substantial paper. The only way to lose the information is to lose or destroy the physical records.
The situation is completely different in a CIS environment. The information on the computer can be easily changed, leaving no trace of the original content. This change could happen inadvertently and huge amount of information can be quickly lost. Another, systems generated transactions; certain transactions may be initiated by the CIS itself without the need for an input document. For example, interest may be calculated and charged automatically to customers’ account balances on the basis of pre-authorized terms contained in a computer program.
Lastly, potential for augmented management supervision, CIS can offer management a variety of analytical tools that may be used to review and supervise the operation of the entity. The availability of these tools may enhance the entire internal control structure. There are certain advantages and disadvantages in using computer in the conduct of audit. Take note that the characteristics of computer information system already tackled above pertains to some advantages and disadvantages of CIS.
Advantages of it includes, it avoids computational errors commonly done by human; eases up and alleviate the work of auditor especially when it comes to timeliness; faster and efficient in processing of information; generation and creation of accounting documents like invoices, cheques and statement of account are automatic; more timely information can be produced; With the larger reductions in the cost of hardware and software and availability of user-friendly accounting software package, it is relatively cheaper like maintaining a manual accounting system; no more manual processing of the data hence all data are automatically been posted to the various ledgers/accounts and others . On the other hand, the disadvantages of CIS are the following: it removes part of the audit trail; subject to manipulation especially to unauthorized personnel; the need for back-up files, could result into more cost, especially if computer is susceptible to power interruption and from infectious software; danger of computer fraud if proper level of control and security whether internal and external are not properly been instituted and others.