- Email: [email protected]
Preparing for the auditor
applications
Preparingfor the auditor DP auditorscan be usefulconsultants
by STEPHEN
V HINDE
C
Abstract: DP managers should welcome the services of internal auditors as inhouse management consultancy. Internal auditors appraise the systemsof management controls and examine the adherence to their systems. They often belong to a professional accountancy bod_vwithformal qualifications. An audit of the computer department would look at organization, personnel administration, security and contingency plans. Auditors should be included in systems development as consultants. For operational systems, the auditor reviews application controls. Auditors can themselves use the computer assistedtechniques. Keywords: data processing, software techniques, computer auditing. Stephen V Hinde is audit services manager at Brooke Bond 0x0 and deputy president of the Institute of Internal Auditors - UK.
~0128
no 1 januaryifebruary
1986
ayoneting the wounded after the battle is over’ is a somewhat cynical DP manager’s B description of the activities of auditors. Far from fearing a visit from the auditors, DPMs should welcome auditors for what they have to offer - a free, independent, inhouse management consultancy. This article will describe what internal auditing is and what you can expect from your computer auditors. The role of external auditors is not covered per se, but they do use the same techniques and may audit the same areas.
What is internal audit? What is internal audit? The Standards for the Professional Practice of Internal Auditing’ issued by the Institute of Internal Auditors state that:
Internal auditing is an independent appraisal function established within an organization to examine and evaluate its activities as a service to the organization
0011-684x/86/010035-05$03.00
fQ 1986 Butteworth
That is, appraising the systems of management controls and examining the adherence to these systems. The Standards go on to state: the objective of internal auditing is to assist members of the organization in the effective discharge of their responsibilities. To this end, internal auditing furnishes rhem with analyses, appraisals, recommendations, counsel, and information concerning the activities reviewed
In other words, the auditor is providing an internal management consultancy. The Standards represent the professional goals that internal auditors should be striving for.
The professional auditor
computer
There is no statutory requirement for internal auditors to be qualified, but often they are a member of one of the accountancy bodies. In recognition of the need for professional internal auditors and computer auditors, the Institute of Internal Auditors in the
& Co (Publishers)
Ltd.
35
UK introduced two qualifications The Professional Qualification in Internal Auditing leading to the designation of MIIA; and the Qualification in Computer Auditing (QiCA). The latter has been developed to provide a generally accepted standard of computer audit knowledge and experience. To satisfy the theoretical computer audit knowledge requirements in QiCA, students are required to pass the computer audit paper of the Professional Qu~ification. The syllabus for the computer audit paper represents the minimum knowledge that computer auditors should acquire before they are let loose on their own on an unsuspecting DP department. The syllabus is shown in the box.
What are computer audits? The four practical experience requirements listed for the professional qualification cover the four areas of computer audit concern that you are likely to meet. Areas audited on a regular basis were ranked in the 1985 Internal Audit Survey2 as shown in Table 1. As can be seen from the tabie, there is a positive correlation between size of organization and the areas audited. In describing what is involved in each of the four main types of computer audit, much use is made of iteration of the major headings, which are indicative rather than exhaustive. To go into more detail would be beyond the scope of this article. Reference should be made to the books listed at the end of the article if further information or explanations are required. The technique most favoured by auditors is the ubiquitious internal control questionnaire (ICQ). This consists of a series of control questions which are asked of the auditee to ascertain whether or not adequate controls exist. It is an approach that was developed before computers were introduced and as such is one that auditors feel at home with. It is an approach that lends itself to ignoring
data processing
applications sidered to be essential to the effectiveness of the internal auditor. A research study carried out in the USA recommended inter alia that: Internal auditors should be involved in the design phase but only in reviewing, testing, and assessing the adequacy of application controls and in reviewing the adequacy and compliance with general controls over the application development process ’ . the ‘black box’ and auditing around the computer. Such an approach is, thankfully, becoming a thing of the past. Ignoring the computer is indicative of a nonprofessional approach on the part of the auditors and one which you as DP managers should not tolerate.
Computer centre audit The objectives of a computer or installation audit
centre
ensure that proper organizational and administrative arrangements exist, check the adequacy of management control procedures, ensure an efficient, smooth running DP department, determine how Ireliable the DP department is. The main areas that would sidered are: l
l
l
l l
januaryifebruary
audit
It is essential that auditors are involved in the system development process, not as a member of the development team, but as a consultant. The auditors should review and formally approve the control methodologies being designed into the system at each stage in its development. Refusal to do so is an abrogation of audit responsibilities. To audit a system after the system has become operational is to audit too late. Too late to ensure adequate and effective controls are designed into the system. Too late to change the system effectively and economically. Design phase auditing does create a dilemma in the minds of some internal auditors. They fear that involvement during the design phase of new computer applications may impair their independence, which is con-
A survey” of computer auditors conducted by ICL and the Institute of Internal Auditors carried out in 1984 reflects this dichotomy, as is shown in Table 2.
Operational
systems
audit
In the audit of an operational system, the auditor is reviewing application controls. It must be remembered that usually there are additional controls in user departments which may complement and enhance those available in the computer system. Application controls can be conveniently categorized as follows: Input controls The objectives of input controls are to provide positive proof of complete and accurate processing. Such controls would include:
be con-
reviewing the organization structure, reviewing the administrative arrangements: 11 job descriptions 13 codes of conduct ‘3 personnel policies ~3 standards $3 training ‘3 work schedules, auditing the main departmental functions, reviewing security programs, reviewing the disaster and contingency plan.
~0128 no 1
Systems development
1986
Audit involvement
in new systems
While user department is establishing it5 requirements Prior to any purchase of hardware or software Before system design is finally agreed During system testing Following insrallation Not presently covered by audit
37
batch controls, input authorization, rejection controls, transaction controls, sequence controls, cancellation of source documents. Processing controls These are the computer controls over ensuring that only clean data enters the system and over the integrity of the processing. These would include: l l l
l l
validation checks, check digit verification, file controls (control records, control files, run-to-run controls, file identification checks, end-of-day batch checking of movements on online, real-time systems.
Master file controls The objectives of these are to mainTable 3. Comparison
of computer-assisted
Survey population
data integrity; to prevent loss of data and to aid reconciliation of the processing. Controls would include: tain
0 manual control accounts, l master file balancing, l standing data amendment controls, l back-up and recovery techniques (generation files, check points, rollback/roll-forward). Output controls Here the objectives are to reconcile to the pre-input control totals and to ensure that output is confidentially released only to authorized persons. Communications controls Controls would include: message input controls, 0 message transmission controls, l message reception and accounting controls. l
Use of computer-assisted techniques
audit
Increasingly, computer auditors are realising that the power of the computer is there for them to use to assist them in their audits. They are, in effect, another user. Computer-assisted audit techniques may be categorized into those techniques that review real data (e.g. generalized audit software, retrieval software, special audit programs, embedded data collection) and those that review systems controls (e.g. test data, parallel simulation, integrated test facility, code comparison). The former verify data, not controls, and imply control strengths and weaknesses, while the latter verify controls, not data, and imply possible errors in data. The popularity of these techniques as reported by various surveys is shown in Table 3. With the exception of the UK Internal Audit survey,
audit techniques Internal auditors’
External audit firms’
Internal auditors’
Internal auditors’
Internal & external auditors’
Survey country
UK
UK
Australia
International (mainly North American)
UK
Survey year
1985
1984
1984
1983
1982
Survey size
395 (%)
(Z)
182 W)
1687 (%)
164 W)
Generalized audit software Retrieval software Special audit programs Test data/test packs Parallel simulation Integrated test facility Code comparison Snapshot
56 *
21 *
32 *
67 *
* 41 14 14 13 11
32 21 * * * *
42 34 8 12 * *
* 40 22 12 20 13
48 66 52 37 16 17 16 *
Tracing Embedded data collection Mapping Software logs Program auditing Program logic testing Tagging Normative stimulation Cusum
9 7 2 * * * * * *
* * * * * * * * *
* * * * * * * * *
18 7 3 * * * * * *
6 16 4 48 34 20 9 6 6
* Indicates
38
method
not specifed
in survey
data processing
applications which was designed to provide comparisons with the international survey, each of the surveys only offered specific techniques for the respondents to comment upon and, as a result, are not directly comparable. Notwithstanding this, two techniques dominate - the use of interrogation programs and the use of test data. The 1982 survey differs from the others in that the respondents were, on the whole, computer auditors. They were all delegates to Compacs ‘82, the annual international state of the art forum on computer audit, control and security. This helps to explain both the popularity of and the large number of the techniques. Interrogation programs are written in a programming language such as COBOL, or PLil; using retrieval software such as Easytrieve Plus, or Filetab; or using generalized audit software such as Panaudit Plus, or CARS. This latter category is an extension of the retrieval software in that it also includes a number of preceded auditors’ routines, such as duplicate test, age conversion routines, and statistical routines. Peripheral to these interrogations is the use of some of the nrstallation’s utilities such as sort, dump, match, copy. These utilities are often ignored by the auditor, yet they can provide a useful set of resources, especially where the auditor cannot justify the acquisition of interrogation packages. Interrogations are used to achieve a number of objectives. By far the most popular of these is some form of statistical extraction of data for subsequent verification or checking. In many audit departments this one objective is the sole function of the computer auditor. Other objectives are to:
l
produce an exception report of data which: 0 does not conform to parameters - outside a specific range, 0 is in excess of a specific value,
~0128 no 1
januaryifebruary
1986
l
l l
0 is a duplicate, 0 is missing, o does not conform to a specific format, analyse data for patterns that indicate an area that should be investigated, recalculate the file control totals, check processing logic.
and insist upon professional educated and trained computer auditors. References Professional
standards Institute of Internal Auditors - UK (1985) Survey of internal auditing in the UK & Eire Institute of Internal Auditors - UK (1985) Rittenberg, L L, Auditor independence and systems design Institute of Internal Auditors Inc., USA (1977) Survq of computer auditing ICL and Institute of Internal Auditors UK (1984) Masmore-Gee, Craner and Santo&i The audit process in the United Kingdom City of Birmingham Polytechnic, UK (1984) Cooper and Craig A profile of internal audit in Australia Royal Melbourne Institute of Technology, Australia (1984) Survey of internal auditing Institute of Internal Auditors Inc., USA (1983) Bailey, D F, Computer assisted audit techniques (Survey at COMPACS ‘82, the Sixth International State of the Art Forum on Computer Audit, Control and Security) Internal Auditing Institute of Internal Auditors - UK (1982)
Most auditors would confine such interrogations to applications data, but an increasing number, albeit small, also use these techniques on systems data, e.g.: IBM’s SMF data. Such interrogations can be a useful means of checking upon the adherence to installation standards - job class, data set names, submission times, etc. The test data methods involve the submission of test data either in the live system or a copy of it. The output is then checked against predetermined results. The main criticism of this method is that the auditor can only say with certainty that the data was processed correctly and that the controls worked. The auditor may infer from this that operational data was also processed correctly.
Benefit
of audit
This article has described what internal auditors are and what DP managers can expect in the way of audits. DPMs should not just tolerate audits, but should encourage them, providing that the auditors adopt a constructive professional approach. They are an independent function which can advise DP management upon standards and controls and review the adherence thereto. In the 1985 Internal Audit Survey’, 58% of the respondents indicated that in the future they planned to expand the scope of computer audits. This was by far and away the favoured direction for expansion of the internal audit function. More computer audits are coming. Act now, educate your auditors to provide you with a beneficial service
Further
reading Computer
Chambers, A D, Pitman (1981) Disaster
and
contingency
data processing
of Internal Computer
planning
in
environments
Auditors audit,
auditing
-
Institute UK (1983)
control and
guidelines for managements,
security
data pro-
cessing staff and computer users. Insti-
tute of (1981) Computer
Internal audit,
manual Institute
-
Auditors control and
of Internal
-
UK security
Auditors
UK (1985)
Use of generalised audit software Institute of Internal Auditors - UK 11983) _ Brooke Bond 0x0 Ltd, St, Walton-on-Thames, UK.
0
Bridge House, Bridge Surrey KTl2 lAL,
39
Preparingfor the auditor DP auditorscan be usefulconsultants
by STEPHEN
V HINDE
C
Abstract: DP managers should welcome the services of internal auditors as inhouse management consultancy. Internal auditors appraise the systemsof management controls and examine the adherence to their systems. They often belong to a professional accountancy bod_vwithformal qualifications. An audit of the computer department would look at organization, personnel administration, security and contingency plans. Auditors should be included in systems development as consultants. For operational systems, the auditor reviews application controls. Auditors can themselves use the computer assistedtechniques. Keywords: data processing, software techniques, computer auditing. Stephen V Hinde is audit services manager at Brooke Bond 0x0 and deputy president of the Institute of Internal Auditors - UK.
~0128
no 1 januaryifebruary
1986
ayoneting the wounded after the battle is over’ is a somewhat cynical DP manager’s B description of the activities of auditors. Far from fearing a visit from the auditors, DPMs should welcome auditors for what they have to offer - a free, independent, inhouse management consultancy. This article will describe what internal auditing is and what you can expect from your computer auditors. The role of external auditors is not covered per se, but they do use the same techniques and may audit the same areas.
What is internal audit? What is internal audit? The Standards for the Professional Practice of Internal Auditing’ issued by the Institute of Internal Auditors state that:
Internal auditing is an independent appraisal function established within an organization to examine and evaluate its activities as a service to the organization
0011-684x/86/010035-05$03.00
fQ 1986 Butteworth
That is, appraising the systems of management controls and examining the adherence to these systems. The Standards go on to state: the objective of internal auditing is to assist members of the organization in the effective discharge of their responsibilities. To this end, internal auditing furnishes rhem with analyses, appraisals, recommendations, counsel, and information concerning the activities reviewed
In other words, the auditor is providing an internal management consultancy. The Standards represent the professional goals that internal auditors should be striving for.
The professional auditor
computer
There is no statutory requirement for internal auditors to be qualified, but often they are a member of one of the accountancy bodies. In recognition of the need for professional internal auditors and computer auditors, the Institute of Internal Auditors in the
& Co (Publishers)
Ltd.
35
UK introduced two qualifications The Professional Qualification in Internal Auditing leading to the designation of MIIA; and the Qualification in Computer Auditing (QiCA). The latter has been developed to provide a generally accepted standard of computer audit knowledge and experience. To satisfy the theoretical computer audit knowledge requirements in QiCA, students are required to pass the computer audit paper of the Professional Qu~ification. The syllabus for the computer audit paper represents the minimum knowledge that computer auditors should acquire before they are let loose on their own on an unsuspecting DP department. The syllabus is shown in the box.
What are computer audits? The four practical experience requirements listed for the professional qualification cover the four areas of computer audit concern that you are likely to meet. Areas audited on a regular basis were ranked in the 1985 Internal Audit Survey2 as shown in Table 1. As can be seen from the tabie, there is a positive correlation between size of organization and the areas audited. In describing what is involved in each of the four main types of computer audit, much use is made of iteration of the major headings, which are indicative rather than exhaustive. To go into more detail would be beyond the scope of this article. Reference should be made to the books listed at the end of the article if further information or explanations are required. The technique most favoured by auditors is the ubiquitious internal control questionnaire (ICQ). This consists of a series of control questions which are asked of the auditee to ascertain whether or not adequate controls exist. It is an approach that was developed before computers were introduced and as such is one that auditors feel at home with. It is an approach that lends itself to ignoring
data processing
applications sidered to be essential to the effectiveness of the internal auditor. A research study carried out in the USA recommended inter alia that: Internal auditors should be involved in the design phase but only in reviewing, testing, and assessing the adequacy of application controls and in reviewing the adequacy and compliance with general controls over the application development process ’ . the ‘black box’ and auditing around the computer. Such an approach is, thankfully, becoming a thing of the past. Ignoring the computer is indicative of a nonprofessional approach on the part of the auditors and one which you as DP managers should not tolerate.
Computer centre audit The objectives of a computer or installation audit
centre
ensure that proper organizational and administrative arrangements exist, check the adequacy of management control procedures, ensure an efficient, smooth running DP department, determine how Ireliable the DP department is. The main areas that would sidered are: l
l
l
l l
januaryifebruary
audit
It is essential that auditors are involved in the system development process, not as a member of the development team, but as a consultant. The auditors should review and formally approve the control methodologies being designed into the system at each stage in its development. Refusal to do so is an abrogation of audit responsibilities. To audit a system after the system has become operational is to audit too late. Too late to ensure adequate and effective controls are designed into the system. Too late to change the system effectively and economically. Design phase auditing does create a dilemma in the minds of some internal auditors. They fear that involvement during the design phase of new computer applications may impair their independence, which is con-
A survey” of computer auditors conducted by ICL and the Institute of Internal Auditors carried out in 1984 reflects this dichotomy, as is shown in Table 2.
Operational
systems
audit
In the audit of an operational system, the auditor is reviewing application controls. It must be remembered that usually there are additional controls in user departments which may complement and enhance those available in the computer system. Application controls can be conveniently categorized as follows: Input controls The objectives of input controls are to provide positive proof of complete and accurate processing. Such controls would include:
be con-
reviewing the organization structure, reviewing the administrative arrangements: 11 job descriptions 13 codes of conduct ‘3 personnel policies ~3 standards $3 training ‘3 work schedules, auditing the main departmental functions, reviewing security programs, reviewing the disaster and contingency plan.
~0128 no 1
Systems development
1986
Audit involvement
in new systems
While user department is establishing it5 requirements Prior to any purchase of hardware or software Before system design is finally agreed During system testing Following insrallation Not presently covered by audit
37
batch controls, input authorization, rejection controls, transaction controls, sequence controls, cancellation of source documents. Processing controls These are the computer controls over ensuring that only clean data enters the system and over the integrity of the processing. These would include: l l l
l l
validation checks, check digit verification, file controls (control records, control files, run-to-run controls, file identification checks, end-of-day batch checking of movements on online, real-time systems.
Master file controls The objectives of these are to mainTable 3. Comparison
of computer-assisted
Survey population
data integrity; to prevent loss of data and to aid reconciliation of the processing. Controls would include: tain
0 manual control accounts, l master file balancing, l standing data amendment controls, l back-up and recovery techniques (generation files, check points, rollback/roll-forward). Output controls Here the objectives are to reconcile to the pre-input control totals and to ensure that output is confidentially released only to authorized persons. Communications controls Controls would include: message input controls, 0 message transmission controls, l message reception and accounting controls. l
Use of computer-assisted techniques
audit
Increasingly, computer auditors are realising that the power of the computer is there for them to use to assist them in their audits. They are, in effect, another user. Computer-assisted audit techniques may be categorized into those techniques that review real data (e.g. generalized audit software, retrieval software, special audit programs, embedded data collection) and those that review systems controls (e.g. test data, parallel simulation, integrated test facility, code comparison). The former verify data, not controls, and imply control strengths and weaknesses, while the latter verify controls, not data, and imply possible errors in data. The popularity of these techniques as reported by various surveys is shown in Table 3. With the exception of the UK Internal Audit survey,
audit techniques Internal auditors’
External audit firms’
Internal auditors’
Internal auditors’
Internal & external auditors’
Survey country
UK
UK
Australia
International (mainly North American)
UK
Survey year
1985
1984
1984
1983
1982
Survey size
395 (%)
(Z)
182 W)
1687 (%)
164 W)
Generalized audit software Retrieval software Special audit programs Test data/test packs Parallel simulation Integrated test facility Code comparison Snapshot
56 *
21 *
32 *
67 *
* 41 14 14 13 11
32 21 * * * *
42 34 8 12 * *
* 40 22 12 20 13
48 66 52 37 16 17 16 *
Tracing Embedded data collection Mapping Software logs Program auditing Program logic testing Tagging Normative stimulation Cusum
9 7 2 * * * * * *
* * * * * * * * *
* * * * * * * * *
18 7 3 * * * * * *
6 16 4 48 34 20 9 6 6
* Indicates
38
method
not specifed
in survey
data processing
applications which was designed to provide comparisons with the international survey, each of the surveys only offered specific techniques for the respondents to comment upon and, as a result, are not directly comparable. Notwithstanding this, two techniques dominate - the use of interrogation programs and the use of test data. The 1982 survey differs from the others in that the respondents were, on the whole, computer auditors. They were all delegates to Compacs ‘82, the annual international state of the art forum on computer audit, control and security. This helps to explain both the popularity of and the large number of the techniques. Interrogation programs are written in a programming language such as COBOL, or PLil; using retrieval software such as Easytrieve Plus, or Filetab; or using generalized audit software such as Panaudit Plus, or CARS. This latter category is an extension of the retrieval software in that it also includes a number of preceded auditors’ routines, such as duplicate test, age conversion routines, and statistical routines. Peripheral to these interrogations is the use of some of the nrstallation’s utilities such as sort, dump, match, copy. These utilities are often ignored by the auditor, yet they can provide a useful set of resources, especially where the auditor cannot justify the acquisition of interrogation packages. Interrogations are used to achieve a number of objectives. By far the most popular of these is some form of statistical extraction of data for subsequent verification or checking. In many audit departments this one objective is the sole function of the computer auditor. Other objectives are to:
l
produce an exception report of data which: 0 does not conform to parameters - outside a specific range, 0 is in excess of a specific value,
~0128 no 1
januaryifebruary
1986
l
l l
0 is a duplicate, 0 is missing, o does not conform to a specific format, analyse data for patterns that indicate an area that should be investigated, recalculate the file control totals, check processing logic.
and insist upon professional educated and trained computer auditors. References Professional
standards Institute of Internal Auditors - UK (1985) Survey of internal auditing in the UK & Eire Institute of Internal Auditors - UK (1985) Rittenberg, L L, Auditor independence and systems design Institute of Internal Auditors Inc., USA (1977) Survq of computer auditing ICL and Institute of Internal Auditors UK (1984) Masmore-Gee, Craner and Santo&i The audit process in the United Kingdom City of Birmingham Polytechnic, UK (1984) Cooper and Craig A profile of internal audit in Australia Royal Melbourne Institute of Technology, Australia (1984) Survey of internal auditing Institute of Internal Auditors Inc., USA (1983) Bailey, D F, Computer assisted audit techniques (Survey at COMPACS ‘82, the Sixth International State of the Art Forum on Computer Audit, Control and Security) Internal Auditing Institute of Internal Auditors - UK (1982)
Most auditors would confine such interrogations to applications data, but an increasing number, albeit small, also use these techniques on systems data, e.g.: IBM’s SMF data. Such interrogations can be a useful means of checking upon the adherence to installation standards - job class, data set names, submission times, etc. The test data methods involve the submission of test data either in the live system or a copy of it. The output is then checked against predetermined results. The main criticism of this method is that the auditor can only say with certainty that the data was processed correctly and that the controls worked. The auditor may infer from this that operational data was also processed correctly.
Benefit
of audit
This article has described what internal auditors are and what DP managers can expect in the way of audits. DPMs should not just tolerate audits, but should encourage them, providing that the auditors adopt a constructive professional approach. They are an independent function which can advise DP management upon standards and controls and review the adherence thereto. In the 1985 Internal Audit Survey’, 58% of the respondents indicated that in the future they planned to expand the scope of computer audits. This was by far and away the favoured direction for expansion of the internal audit function. More computer audits are coming. Act now, educate your auditors to provide you with a beneficial service
Further
reading Computer
Chambers, A D, Pitman (1981) Disaster
and
contingency
data processing
of Internal Computer
planning
in
environments
Auditors audit,
auditing
-
Institute UK (1983)
control and
guidelines for managements,
security
data pro-
cessing staff and computer users. Insti-
tute of (1981) Computer
Internal audit,
manual Institute
-
Auditors control and
of Internal
-
UK security
Auditors
UK (1985)
Use of generalised audit software Institute of Internal Auditors - UK 11983) _ Brooke Bond 0x0 Ltd, St, Walton-on-Thames, UK.
0
Bridge House, Bridge Surrey KTl2 lAL,
39