- Email: [email protected]
Software solutions to assist
ECURITYI
Software solutions to assist by I. J. DOUGLAS
As more companies computerise their accounting methods, auditors increasingly need tools to examine computer files. A review of packages follows. A
few years ago most auditors concentrated on auditing "round the computer". That is, they checked the computer input and compared it with computer output. If necessary, they manually reprocessed data so that it could be compared with the computer calculated results. Auditing "round the computer" was feasible with small and medium sized batch systems. But with the growth of large real-time systems, where printed output is kept to a minimum, and the system processes each transaction independently rather than in a batch, it became increasingly difficult and economically impractical. Auditors, therefore, had to adapt their procedures and develop a new approach for these systems. Computer auditing is now an established sub-profession within the auditing profession. Most of the large external auditing fn'ms have set up computer auditing specialist groups comprising both computer professionals and accountants. Internal auditors are also trying to increase their expertise in computer audit. The Institute of Internal Auditors, which has a UK membership of about 1,400 members, recently introduced Britain's first professional computer audit qualification. This qualification, which is also open to non IIA members, may go a long way to increasing general computer audit standards and professionalism. One of the most widely used techniques developed for the auditing of computer systems is the audit interrogation package. Basically an enquiry or report writer, it has been designed so that the auditor can write his own file interrogations in a simple and straightforward manner. The alternative approach would be for the auditor to ask the dp department to I. J. Douglas, a senior consultant at the National Computing Centre, is joint author (with A. J. Thomas) of Audit of Computer Systems, published by the NCC in 1981.
28
write a one-off program for him. However, by doing this, he would be relying 9n the work of one of the very departments he is trying to audit and naturally many auditors are unwilling to do this. To maintain the auditor's independence most large auditing fn-ms and internal audit departments now have their own audit interrogation packages. Indeed, an auditor without a package has been compared to a blind auditor who gets his client to read out figures for him from the manual accounting Computer fdes at the auditor's fingertips. records. the computer department to write the Interrogation packages database extract program. Since this Interrogation packages allow the could undermine the independence of auditor to utilise the power of the com- his check the auditor should at least be puter in his audit, to sort, add, compare, capable of checking the extract program select and report on files and records as coding. he requires. Alternatively, if the auditor has staff Basically easy-to-use report writers, experienced in systems programming, these packages can be used by auditors it may be possible to amend the audit with a certain amount of computer train- package to interrogate the database by ing. By no means do they require the performing a database "call" when it level of skill needed for Cobol program- needs to read a record. ming. Many of these packages are in fact Likely impact pre-processors for Cobol programs. The What is the likely impact on the dp auditor codes the facilities he requires in department? Although most auditors a simplified form, and the package pro- will normally want and be able to design cesses this to produce a Cobol program. and code their own interrogations withSome packages have special routines, out assistance from the dp department, such as statifying records in a file into they may require assistance in preparing groups by financial value. Another lob control instructions, which can common routine is statistical sampling. obviously vary considerably from comThis enables records from a file to be puter manufacturer to manufacturer. In chosen on a random but statistically fact, many dp managers insist that dp sound basis, so that the auditor, after staff prepare the job control instrucchecking these records in detail, will be tions, because of fears that the auditor able to relate the results to the full file. may corrupt or destroy operational files. Occasionally an auditor may wish to Usually, the auditor will submit his use a package which does not run on the lob through the organisation's normal machine he has to audit. In this case a operational arrangements. But in some bureau with sophisticated file conver- circumstances for security reasons the sion utilities can be used to convert the auditor may wish to restrict the number data into suitable format. of people handling his enquiry, or to Many of the packages used by request that it is run quickly, leaving auditors for file interrogation cannot little time for it to be manipulated in any interface with database management way by computer department staff. In systems. Even the better supported exceptional circumstances the auditor packages can only interface with most may ask to be present in the computer common DBMS systems. room when the job is run. If a package cannot interface with a The dp manager should not look upon database management system, the such requests as slights on the integrity database can be written to a conventional of his staff. Rather, they are an example sequential file for accessing by the audit of the auditor trying to do his job propprogram in the normal way. This, how- erly, i.e. to independently verify the ever, takes a lot of computer time. In integrity of the financial data controlled addition, the auditor may have to rely on by the dp installation. • DATAPROCESSING
Software solutions to assist by I. J. DOUGLAS
As more companies computerise their accounting methods, auditors increasingly need tools to examine computer files. A review of packages follows. A
few years ago most auditors concentrated on auditing "round the computer". That is, they checked the computer input and compared it with computer output. If necessary, they manually reprocessed data so that it could be compared with the computer calculated results. Auditing "round the computer" was feasible with small and medium sized batch systems. But with the growth of large real-time systems, where printed output is kept to a minimum, and the system processes each transaction independently rather than in a batch, it became increasingly difficult and economically impractical. Auditors, therefore, had to adapt their procedures and develop a new approach for these systems. Computer auditing is now an established sub-profession within the auditing profession. Most of the large external auditing fn'ms have set up computer auditing specialist groups comprising both computer professionals and accountants. Internal auditors are also trying to increase their expertise in computer audit. The Institute of Internal Auditors, which has a UK membership of about 1,400 members, recently introduced Britain's first professional computer audit qualification. This qualification, which is also open to non IIA members, may go a long way to increasing general computer audit standards and professionalism. One of the most widely used techniques developed for the auditing of computer systems is the audit interrogation package. Basically an enquiry or report writer, it has been designed so that the auditor can write his own file interrogations in a simple and straightforward manner. The alternative approach would be for the auditor to ask the dp department to I. J. Douglas, a senior consultant at the National Computing Centre, is joint author (with A. J. Thomas) of Audit of Computer Systems, published by the NCC in 1981.
28
write a one-off program for him. However, by doing this, he would be relying 9n the work of one of the very departments he is trying to audit and naturally many auditors are unwilling to do this. To maintain the auditor's independence most large auditing fn-ms and internal audit departments now have their own audit interrogation packages. Indeed, an auditor without a package has been compared to a blind auditor who gets his client to read out figures for him from the manual accounting Computer fdes at the auditor's fingertips. records. the computer department to write the Interrogation packages database extract program. Since this Interrogation packages allow the could undermine the independence of auditor to utilise the power of the com- his check the auditor should at least be puter in his audit, to sort, add, compare, capable of checking the extract program select and report on files and records as coding. he requires. Alternatively, if the auditor has staff Basically easy-to-use report writers, experienced in systems programming, these packages can be used by auditors it may be possible to amend the audit with a certain amount of computer train- package to interrogate the database by ing. By no means do they require the performing a database "call" when it level of skill needed for Cobol program- needs to read a record. ming. Many of these packages are in fact Likely impact pre-processors for Cobol programs. The What is the likely impact on the dp auditor codes the facilities he requires in department? Although most auditors a simplified form, and the package pro- will normally want and be able to design cesses this to produce a Cobol program. and code their own interrogations withSome packages have special routines, out assistance from the dp department, such as statifying records in a file into they may require assistance in preparing groups by financial value. Another lob control instructions, which can common routine is statistical sampling. obviously vary considerably from comThis enables records from a file to be puter manufacturer to manufacturer. In chosen on a random but statistically fact, many dp managers insist that dp sound basis, so that the auditor, after staff prepare the job control instrucchecking these records in detail, will be tions, because of fears that the auditor able to relate the results to the full file. may corrupt or destroy operational files. Occasionally an auditor may wish to Usually, the auditor will submit his use a package which does not run on the lob through the organisation's normal machine he has to audit. In this case a operational arrangements. But in some bureau with sophisticated file conver- circumstances for security reasons the sion utilities can be used to convert the auditor may wish to restrict the number data into suitable format. of people handling his enquiry, or to Many of the packages used by request that it is run quickly, leaving auditors for file interrogation cannot little time for it to be manipulated in any interface with database management way by computer department staff. In systems. Even the better supported exceptional circumstances the auditor packages can only interface with most may ask to be present in the computer common DBMS systems. room when the job is run. If a package cannot interface with a The dp manager should not look upon database management system, the such requests as slights on the integrity database can be written to a conventional of his staff. Rather, they are an example sequential file for accessing by the audit of the auditor trying to do his job propprogram in the normal way. This, how- erly, i.e. to independently verify the ever, takes a lot of computer time. In integrity of the financial data controlled addition, the auditor may have to rely on by the dp installation. • DATAPROCESSING