Post on 25-Feb-2023
AUDITING IN THE AGE OF EDP
A- THESIS
■'SUBMITTED TO THE FACULTY OF ATLANTA UNIVERSITY IN
PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR
THE DEGREE OF
'MASTER OF BUSINESS ADMINISTRATION
BY
KANTILAL CHANDMAL JAIN
SCHOOL OF BUSINESS ADMINISTRATION
ATLANTA, GEORGIA
JUNE 1968
TABLE OF CONTENTS
Page
ACKNOWLEDGEMENTS iii
LIST OF FIGURES iv
Chapter I. INTRODUCTION 1
II. THE ELECTRONIC DATA PROCESSING SYSTEM 8
III. THE EDP SYSTEM AND THE AUDITOR 23
IV. METHODS OF INTERNAI CONTROL 32
V. TECHNIQUES OF AUDITING WITH EDP U6
VI. A SUMMING UP 38
BIBLIOGRAPHY 6$
ii
ACKNOWLEDGMENTS
The writer is deeply grateful to the following persons for
their assistance and contributions: Professor J. B. Blayton, Professor
of Accounting, Atlanta, whose suggestions provided the substance for
a better thesis; Dr. K. K. Das, Professor of Business Administration,
Atlanta University, who, through several discussions, made pointed,
helpful observations; and Dr. Harding B. Young, Dean, School of
Business Administration, Atlanta University, and Professor of Finance,
whose contribution was invaluable.
It goes without saying that without the wonderful moral support
of Mrs. Aruna Das, this thesis would not have been completed.
K.C.J.
LIST OF FIGURES
Page
Figure 1. The Logic of a Flow Chart 15
2. Flow Chart 17
3. Simplified on Line, Real Time Configuration 19
k* Full System of Computer Operation 39
5. Program Flow Chart 1*0
6. Testing the System 5l
CHAPTER I
INTRODUCTION
A History of Electronic Data Processing
A "thinking revolution" has taken place during the last decade.
The battle has been won solely because men have devised the most potent
weapon of the era — the computer. With it, they have achieved not
only a faster way of performing calculations, but have evolved a modern
approach to the organization of thought. The invention of computers
is a magnificent example of men rising to a challenge. First the
nation was dominated by an agricultural economy; then the industrial
revolution changed its complexion. Within the last twenty-five years
the third major change has occurred; it is the one in which science and
technology have moved to a position of preeminence.^
In our moden economy, electronic data processing (EDP) system each
day assumes a more vital role in the life processes of the business com¬
munity. It has been approximately fifteen years since the first com¬
puter, which is the heart of an EDP system, was made available commercial¬
ly. However, in this relatively short period of time, industry has
witnessed an extraordinary growth in the use of the computer and an un¬
precedented impact on the processing of information. In 19bl, Ferst
wrote: "The electronic age has reached the office. There are, at
present, approximately k,900 computers in use in this country and more
•^Shirley Thomas, Computers (Holt, Rinehart and Winston, Inc., New York, 1965). p.7.
1
2
than 6,000 are on order.In 1963, Hafner wrote: "Well over 50$
of the top 500 industrial companies now have extensive data processing
operations and over 65$ of the applications placed on computers have
occurred since 1959."^ In 19t>5* Arkin wrote: "In 19àb, there were
more than 21,600 electronic computers in use and many are now devoted
in whole or part to accounting and other record-keeping operations.
In fact, one might say that the advent of EDP systems has brought
about, in a revolutionary manner, a new environment in which industry
may function.
The question naturally arises: What is an EDP system? An EDP
system is not just a computer as is sometimes thought; it is a number
of elements, each of which performs a function in the system. An EDP
system consists of:
1. An electronic data processor (the central processing unit).
2. Associated peripheral equipment, such as data preparation,
input and output devices. This central element performs
arithmetic, logic storage of data dating processing, and
control.
3. Procedures that tell what data are needed and when, where they
are obtained and how they are used.
U» Instruction routines for the processor.
^"Stanley D. Ferst, "Current Development in Auditing Procedures," The Journal of Accountancy (November, 1961) pp.77-78.
O
George P. Hafner, "Auditing EDP," The Accounting Review (October, 1961;), p.979*
•3
-'Herbert Arkin, "Computers and The Audit Test," The Journal of Accountancy (October, 19t>5)> p.I4J4..
3
3. Personnel to operate and maintain equipment, analyze and
set up procedures, prepare instructions, provide input data,
utilize reports, review results and supervise the entire
operation.^
There can be no doubt that this environment will have an impact
on the internal auditing function, which may be looked upon as a manager¬
ial control that measures and evaluates other controls. The question
is only to what degree and in what manner this impact will take effect.
Part of the answer to this question depends on what phase of computer
development the internal auditor will encounter. And this will depend
how the computers are used. The scope is so vast that the answer
might almost be "every way, everywhere." Recently the magazine,
Computer and Automation, compiled a list of 600 areas of application
and this was by no means a complete tally. Any problem, process, or
concept that can be represented mathematically (symbolically) can be
solved, controlled or investigated by a computer. Therefore, there would
be many approaches which auditors would have to encounter in their audit
process.
There are three basic phases of computer development which can be >
found in industry: (1) the card-oriented system which functions with
almost the same accounting techniques and procedures as electrical
accounting machines; (2) the tape-oriented system which functions with
new concepts of data storage and retrieval; and (3) the real time random
-*-W. 'Thomas Porter, Jr., Auditing electronic Systems (Wadworth
Publishing Company, Inc., Belmont, California, 19b6), p.2.
h
access computer system, which often eliminates the need for original
documents. Each of these systems places new demands on the internal
1 auditor.
Both the card-oriented systems and the tape-oriented systems are
batch processing systems. Data are fed into these systems in measured,
often sequential, batches. With the card-oriented computer system in
particular, the auditor may find that the computer is used merely for
high speed rudimentary operations such as adding, sorting, matching,
printing, and minor processing. However, with a more sophisticated
approach such as an on line, real time system the auditor may encounter
an entirely revolutionized concept of a management information system,
encompassing the entire sphere of data flow and communications through¬
out the business enterprise. Most auditors will primarily encounter
batch processing systems, which allows them to continue using conventional
auditing methods and techniques.
This study will investigate whether using conventional methods
is the best approach.
Regardless of what phase of EDP is encountered, the fundamentals
and objectives of the internal auditor's work will not change; however,
the methods and techniques he will use will need modification. The
auditor will find a shift in emphasis; he will be more concerned with
controls that validate machine accuracy than with those which test em¬
ployee accuracy. Furthermore, he will be "more concerned with checking
■*"Wayne S. Boutell, Auditing with the Computer (University of California Press, Los Angeles, California, 196$), p.5*
5
the individual items being processed by the system.In addition,
the auditor may request that there will be increasing use of EDP audit
techniques in his work.
To function effectively the auditor must not only adapt his methods
and techniques to the particular installation that he is working with,
but he must keep abreast of new developments and concepts in data proces¬
sing. The new environment the auditors is faced with is a changing
environment. The following statements reflect this change: "...that
as a minimum you can expect virtually every company which now has tabu¬
lating equipment to have an electronic computer within a relatively
2 short period," and "...that nearly all business systems will be of
the OLRT (on line, real time) variety by 1970."^
The internal auditor cannot afford to ignore the impact of state¬
ments such as these, which have appeared in current literature. If he
does, he will reduce his profit contribution to the company and suffer
the consequences.
The introduction of EDP into business has created a new phase of
development of specialized terms, and these special terms are at present
extensively used. In fact, this new "computer language" has created
many problems in its uses and misuses. The internal auditor has to com¬
municate intelligently with the computer personnel to find out the con¬
sistency of the data. Hence, he should know the technical vocabulary
^T. ¥. McRea, The Impact of Computers on Accounting (John Wiley & Sons, Ltd., London, 196U), p.199.
^Gregory M. Boni, "Impact of Electronic Data Process on Auditing," The Journal of Accounting (September, 1953), p.39.
3 Richard E. Sprague, "On Line-Real Time Systems," Management
Services (May/June, 1961|), p.Ul.
6
used in the EDP system. The technical terms are used by the auditors
to make up the work rapidly with thorough investigation. At the same
time, the requirements of moden techniques to make the operation smoother
and more convenient are also fulfilled. It also helps to increase the
efficiency and the effectiveness of reaching the increased volume of
work in a highly progressive computer world.
This technical vocabulary has a threefold purpose: (l) to
acquaint the auditor with the necessary technical terms; (2) to present
clear, accurate and concise definitions of these terms; and (3) to pro¬
vide a reference to terms used in succeeding chapters of this paper.
Definition of Terms
Assembly Program — A computer program which takes sequential instructions written by the programmer in a non-machine language and changes them to codes or language used by the machine on which the program is to be run.
Audit Trail — The path left by a transaction when it is processed; consists of the original document, entry in a transaction list, posting to a file record, and inclusion in a report. Auditors use the audit trail of a transaction for determining the validity of records.
Batch —A number of records or documents grouped together for the purpose of processing a single unit.
Batch processing — A collection of data over a period of time for sort¬ ing and processing as a group during a particular machine run.
Bulk Storage — Large-volume storage used to supplement the high-speed storage; may be addressable, as with disks and drums, or nonad- dressable, as with magnetic tapes. Also called "secondary" and "externay storage."
Communication Channel — Messenger, voice, mail, telegraph, telephone, and microwave available for transmitting business data over short or long distances.
7
Computer — An electronic data processing machine and its auxiliary components capable of accepting information, applying prescribed processes, and supplying results in accordance with a program of internally stored instructions.
Console — That component of a data processing system which provides facilities for manual control and observation of the system's operation.
Data — Figures, words, or charts that refer to or describe some situation.
Flow Chart — A graphic depiction of the logic of a data processing system showing the routines required to solve a problem or arrive at a desired result. Less detailed than the block diagram since individual machine operations are not shown.
Hardware — A colloquialism applied to the mechanical, electrical and electronic features of a data processing system. It is most frequently used to differentiate between the physical features of the system and those which the user introduces through coding or programming systems.
Library — An organized collection — for example, tape-file library or subroutine library.
Off-Line Equipment — Equipment not connected directly to the central processor but working through an intermediary device. For example, a processor can write output on an on-line magnetic tape that is later used as input to an off-line printer for printing reports.
On-Line Equipment — equipment connected directly to the central pro¬ cessor to furnish or receive data — for example, card readers, high speed printers, inquiry stations, and direct display devices.
Program — A plan for the automatic solution of a problem. A complete program includes plans for the transcription of data, coding for the processor, and plans for the absorption of the results into the system. The list of coded instructions is called a "routine."
Real-Time Operations — Processing data in synchronism with a physical process rapidly enough so that results of data processing are useful to the physical operation. Sometimes called "on-line, real-time control."
These definitions have been given in current literature.^
iQuide for Auditing Automatic Data Processing Systems (Department of the Air Force Comptroller, November, 1951), pp.A.l-A.7j Robert H. Gregory and Richard L. Van Horn, Automatic Data Processing Systems, 2nd.ed. (Wadsworth Publishing Company, Inc., Belmont, Calif.,1963;, pp.7h5-99j and Planning for an IBM Data Processing System (International Business Machines Corp., New iork, January, 1961), pp.L?-51.
CHAPTER II
THE ELECTRONIC DATA PROCESSING SYSTEM
Business firms in general, and public accounting firms as their
consultants, have become increasingly cognizant of the role of the
business information system in effective management, especially during
the past ten to fifteen years. This increasing awareness of the
crucial role of systems design is due to a number of underlying causes :
1. The failure of traditional accounting systems to supply data
relevant to managerial decision making.
2. The increasing emphasis on "real-time" reporting, as opposed
to receiving information after a significant time lag.
3. The lack of a competent clerical staff for manually processing
date required by the more rigorous demands of an expanding
business information system.
U. The struggle to keep data processing costs "realistic."
5- The impact of the current literature on managerial decision
making.^
Prior to the 1950's, the number of records kept and the quantity
of information processed by business in general was completely inade¬
quate. Even the most sophisticated electronic accounting systems of
the time required almost prohibitive amounts of time and effort to pro¬
cess information. The punch card system was limited, due to the slow
card-processing speed of the machines. The advent of electronic data
-*-Boutell, op.cit., p.9*
8
9
processing systems brought with it the possibility of performing complex
operations upon vast amounts of information in a relatively short
period of time.
Batch Controlled Systems
Early computers were made by vacuum tubes which were complicated
in use and less durable. Computers, which have been called the second
generation, were developed by the use of solid state components, such
as transistor; they were much smaller machines and were manufactured
more cheaply. In recent years, the computer which can be called a
third generation computer, used miniaturized circuitry and can as small
as a filing cabinet. The early computers developed by IBM, NCR and
RCA measured speed in thousands of seconds; but the later ones operate
in billionths of a second. The latter are generally used by the
Department of Defense and by large brokerage firms on Wall Street.^-
There is a difference between computers used for business
purposes and those used for scientific purposes. Computers which
are designed for business must be able to handle raw large volumes of
data with accuracy and speed. Computers which are used for scientific
research usually handle a small amount of data, and subject this data
to complex machines.
Types of Computers
There are two types of computers: (l) the Analogue computer;
and (2) the Digital computer.
■'■Arkin, op.cit., p.RU.
10
The Analogue Computer.—In using the analogue computer, the
problem to be solved is arranged as a model in which the behavior of
the component part of, say, the engineering system under study is
mimicked by that of electronic computing units. There is a close
correspondence between the model and its physical counterpart, which
makes it easy to translate measurements and ideas from one to the
other.In other words, it can be said the analogue computer is
a machine which operates upon the principle of creating an analogy to
obtain a desired result. An example of analogue computers is the
common slide rule, in which the distance along the slide rule is used
as analogies to the numbers upon which it is required to operate, and
various electronic analogue computers which are used to stimulate
highly complex physical and mathematical problems.
The Digital Computer.— The term "digital computer" may be used
to include both the calculator, which requires an external operator
or control to constantly feed its instructions during operation, and
the internally-stored program computer, in which the instructions, or
"programs," are held or contained within the computer itself. "Such
computers also usually possess the ability to operate upon the instruc¬
tions themselves, and to alter the sequence of instructions in accordance
O
with results already calculated."
Difficulties in Using the .analogue Computer
Analogue computers have created many problems in their use in
IF. J. M. Laver, Introducing Computers (Her Majesty's Stationery Office, London, 1965), p.5«
^Gregory and Van Horn, op.cit., p.75>2.
11
business. The main idea of adopting a "computer" as a substitute for
clerical work is to get accurate data at low cost and at speed. The
analogue method has created some practical limitations, as follows:
1. The accuracy is low, partly because of the difficulty of
setting and maintaining values in the electrical circuits and
partly because the computing units have inherent limitations.
2. Problems take a considerable time to set up, during which the
computer cannot be used for other work.
3. Since each computing unit introduces errors, the model should
use as few units as possible, but minimization takes time and
effort and may diminish the analogy with the real system.
i|. The computing units are accurate only over a limited range
and the calculations must be scaled to stay within limits."*'
In short, it can be said that analogue models are very easy to
i'play about with" and in many fields they allow a more direct approach
to a problem than can be achieved by digital techniques. However, each
analogue computer stands to be oriented towards model building in only
one field, so when a range of work has to be undertaken, the digital
computer offers greater flexibility. Also the digital computer can
usually give answers of a higher accuracy than the equivalent analogue
machine and this can be important in some cases. This internally-
stored-program digital computer is the heart of a modern electronic
data processing system and, as such, will be referred to simply as "the
computer."
•'’Laver, op.cit.
12
Basic Functions of the Computer
The computer must possess essentially the same characteristics
required of a clerk in the execution of his assignment. These character¬
istics have been grouped into four categories — input, storage, proces¬
sing and output. The following diagrams show the relationship between
these functions :
Central Processing Unit^
Input.—The input is operated upon or processed within the
systems. The first'step in preparing for an EDP system is to define
the data processing problem. The problem definition determines what *
type of output, or result, is desired and what type of input data is
required to produce this output.
Problem Definition 2
INPUT _z PROBLEM ■ AREA
1 —»—
«
OUTPUT|
^■Richard W. McCoy and John J. Anderson, Computer Accounting Case (John Wiley & Sons, Inc., New York, Sydney, London, 1966), p.l*.
2Philco Corporation, Government Group Computer Division, Pennsyl¬ vania, Preparing for an Electronic Data Processing System Installation. February, 1, 1961, p.TT
13
For example, if the data processing problem consists of updating an
inventory file, the input data would include all the transactions for
the day and the current inventory file. The desired output would be
an updated inventory file.
Storage.—Storage is the ability of the machine to retain the
program of instruction internally so that the individual instruction may
be used over and over again without being reread. The instruction
may be modified during processing — proof of versatility. Conversely,
the type and quantity of storage built into an EDP system will determine
the types and extent of data processing the machines can handle. An
EDP system usually consists of several storage devices of more than one
type, because each device has its own particular characteristics. In
order for the central processor to operate at great speeds it needs
internal high speed storage, and in order for it to operate upon large
amounts of data it needs high capacity external storage.
Data storage devices have the ability to store data either
sequentially or randomly. Random access storage permits immediate
access to all data without the need to examine sequentially all of the
recorded data. The storage used in the central processor is high speed
random access storage. As previously noted, this storage is part of
the central processor; however, the storage units themselves may be
physically separated from the central processor unit.
Processing.— In order to solve a given problem through the use
of a digital computer, it is necessary to: (l) analyze the problem
thoroughly; (2) decide on a solution procedure; and (3) create a step-
by-step set of instructions which performs the procedure. In other
Ih
words, it can be said that the function of the computer's central
processing unit, or CPU, is the capability of manipulating data and
making logical comparisons leading to variations in the paths taken
through the instructions of the program. It is through this logical
ability that a computer can make decisions. Such a decision, for ex¬
ample, might be to allow or disallow a purchase on credit based on a
comparison of the new account balance with a preestablished credit limit.
Flow Chart.— Flow charts are used extensively in solving problems
involving computers; however, the central idea of a written sequence of
steps to be performed may apply to any problem-solving situation.
Before a person solves any problem, some planning should be done; even
for very simple problems, the planning is done consciously.'*’ For
problems involving several actions, such as baking a pie, perhaps a
list of steps will suffice, but for more complex situations, the neces¬
sary directions may require consideration of the possibility that a
certain step cannot be taken and that something else must be tried before
continuing; in other words, alternatives must be considered. This latter
situation is best represented by a flow chart.
The illustration in Figure 1 shows how one might describe the
various steps involved in using a dial form to call another person.
The flow chart technique in the illustration may appear to involve
some unnecessary effort to solve such a simple problem, but the inten¬
tion is to demonstrate that the steps of a process can be organized,
and to suggest that this method can be used in more complex situations.
A system flow chart shows that job is to be accomplished.
^Charles R. Raues, Anthony F. Prluso and William S. Worley, IItran/360 (Addison Wesley Publishing Company, London, 1967), p.6.
16
System flow chart shown in Figure 2 is a form for credit control in
a leading company. In this chart, the summary of the procedure of
credit control is shown.
Thus far the discussion has centered about an EDP system
functions and perhaps a brief illustration of what an EDP system can
accomplish will be fruitful now. Employing EDP in the area of credit
control will give an insight into its possible advantages and used.
Controlling of credit management is concerned with the proper computa¬
tion of control limits. If there is no proper control on credit then
the cash inflow will be "tied up" unnecessarily.
A computer can review sales statistics and relate these to
projected sales demands, and then compute the optimum limits by which
it can give what the total credit sales would be in the coming year.
On Line, Real Time Systems
On line data processing systems have recently become of interest
in digital computer applications. Developments in digital transmis¬
sion and availability of faster bulk storage devices and the use of
man/machine interface devices have stimulated a new kind of data pro¬
cessing — information is entered into the system as it is generated.
Outputs are requested as they are required. These inputs and outputs
are occasioned by external stimuli — man or machine — to which the
computer responds.
The on-line computing systems include at least two important
classes of systems, the batch controlled system and the real time
system, which processes data and reports it or stores it as it happens.
18
The batch controlled system "forms the basic building block" upon
which on line, real system (OLRT) may be built.1
With OLRT systems, management can be informed of results, ex¬
ceptions and trends as they occur and, in time, take corrective action
when necessary.
In the early 1950*s, one could project the advent of numerous
card-oriented and tape-oriented EDP systems. Similarly, one can fore¬
see the increasing importance that real time systems will have for the
business community in the near future. The adoption of OLRT will be
of major consequence and will have a greater effect on industry than
p the introduction and use of electrical accounting systems had.
Real time computers can react and process data within thousands
of seconds, can quickly receive and transmit data to and from remote
points, and can assign priorities to operations based on the agencies
involved. In fact, real time systems receive and process data almost
simultaneously (see figure 3).
The term "real time" is, however, "approximate rather than
3 literal" when applied to a business application. In addition, batch
controlled systems have on-line equipment, such as a magnetic tape unit
and a card reader. Therefore, not all on-line EDP systems are real
time systems; however, every real time system uses on-line equipment.
■^Boutell, op.cit., p.Ul.
2 Michael E. Shays, "The Feasibility of Real Time Data Processing,
Management Services (July/August, 19b5), p.20.
3Felix Kaufman, Electronic Data Processing and Auditing (The Ronald Press Company, New York, 196l), p.ll'.
FIGURE 3
SIMPLIFIED ON UNE, REAL TIME CONFIGURATION
Communication
Network
in-
'agement Inter¬
rogation
Terminal
20
Because real time systems have large amounts of storage and complete
communication facilities, they can be used for centralized control
of decentralized operations. One of the basic features that enables
these systems to function is the large amount of high speed core storage
and high speed random access storage. This large storage capability
of OLRT systems enables a single file of many related files to be dupli¬
cated. '‘In effect, it is now possible to consider the introduction of
a fully integrated operational control sys tern which means that all
transactions go through and are controlled by the single system."-*•
As both types of processing will be operating concurrently, to
make effective use of the central processor's time the executive program
is employed. The central processor can function at a much greater speed
than the output and input operations, hence, operations performed on the
basis of OLRT would be of great importance for business firms. The
question remains, however, whether OLRT is the answer to the future
business demand.
The future of on-line systems depends a great deal upon the
future of off-line systems. There is a great deal of talk these days
about a semi-automated mathematical laboratory in which a mathematician
could prove theorems that he could not prove without computer assist¬
ance. How about having the computer prove the theorems all by itself?
Suppose the artificial intelligence people make a machine, which can
prove new theorems by itself. What becomes of the semi-automated
mathematical laboratory then? It would be useless, would it not?
1J. T. Mapletoft, "Satisfying the Need to Know...In Real-Time," Systems and Procedures Journal (March/April, 19fc>5), p.ll.
21
Suppose a computer program is written which is able to write computer
programs; suppose problems are stated to a computer which is able to
program itself to solve the problems. What then will become of the
on-line programming system? Will it not be unnecessary?
Today we are in a very exciting period when interest in on-line
systems is extremely high. The great surge of interest in on-line
systems cannot last forever. What comes next? What comes after
the on-line systems? Perhaps a return to off-line systems as the
capability grows to have machines become better able to do things all
by themselves. It probably takes a very large computer to solve useful
mathematical theorems automatically, but it is nevertheless likely that
such a system will be built eventually. In the past, there have been
cycles in the interest in on-line systems. In the early days, on-line
use of computers was common, because no one knew of anything they could
do. Then there were the bleak years of insulation between users and
computers to gain computing "efficiency." Now, once again, there is
an outburst of interest in on-line computer systems.
In the future,also, there will be changes in the emphasis on
on-line systems. In five years, on-line programming systems will be
commonplace, and a conference on on-line systems Xirould be out of place.
Research interest in on-line systems will have faded, although applica¬
tion of them will still be widespread. Perhaps general purpose auto¬
matic problem solvers will come into use soon after that. If so, even
the use of on-line programming systems may decrease.
Eventually, the process control on-line studies and the automatic
problem solving work will come together to make automation. Computers
22
will then truly be on-line with the physical world in the same sense
that human beings are on-line with the physical world. Once again,
there will be a resurgence of interest in on-line systems. What the
author is predicting is that today's interest in systems in which a
man and a machine get together on-line will be replaced in the distant
future by an interest in systems in which a computer gets directly on¬
line with the real world.
CHAPTER III
THE EDP SYSTEM AND THE AUDITOR
A great variety of machine systems are now available for the
computing needs of science, business, engineering, and defense; and
equally important, additions and improvements are being developed with
amazing rapidity. So far, data processing has progressed to a point
where one giant computer can operate faster than 500,000 men with
desk calculators. In such a moden environment, the auditor plays a
significant role which has unlimited capacity for rapid processing
of great volumes of data and the computer has proved to be the most
useful tool to achieve the objectives."^
The primary objective of the annual audit examination is the
expression of the independent auditor's opinion about the fairness with
which the client's financial statements present the financial position
and results of operations. This objective is primarily in the audit
of electronic systems as well as non-electronic systems. However,
the use of the computer and the design and development of management
information systems in an encouraging number of companies, has suggested
a second objective for an independent audit, that is, to support a
report to management on effectiveness of information systems for internal
planning, control and decision making.
The auditor can use EDP in two ways when performing tasks re-
"^Jerome B. Cohen and Sidney M. Robbins, The Financial Manager
(Harper & Row, Publishers, New York, 1966), pp.262-63•
23
2h
lated to existence and valuation. One method is to use test decks;
the other is the use of computer audit programs.
Test Decks
The test deck is prepared by the auditor to determine the
effectiveness of the data processing system in use. The test deck is
designed to simulate desired types of transactions and to test specific
program controls. The deck is in machine-readable form and is pro¬
cessed with the client's computer program; it is an important and
dynamic tool in the auditor's testing and evaluation of the system
of internal control. The computer audit program is designed, devel¬
oped, and controlled by the auditor for analyzing information generated
by the system. Client's records are processed with these programs
to get information for the auditor's evaluation or for further examina¬
tion. 1
In spite of all situations, normally two approaches to auditing
an EDP system are used: the around the computer or "deaf ear" approach,
and the through the computer approach. When the deaf ear approach is
used, the auditor can apply the logic that if the source data can be
proven correct, and if the output accurately reflects the source data,
then the output must be correct. The auditor, in effect, is saying
that the mechanics of how the output was produced does not matter.
He is ignoring all of the complex data processing which takes place
within the computer. Thus, the auditor may audit the input and output
of data that is entered and received from the EDP system, and hence,
-*-Porter, op.cit., p.35>.
25
audit around the computer. Auditors take this approach for three
basic reasons: (l) they have worked with this approach before and are
familiar with it; (2) the auditor does not need to acquire a technical
knowledge of the system itself; and (3) the audit trail conditions found 1
in most EDP installations have remained relatively unchanged. The
state of the audit trail conditions is a key factor. If the audit
trail remains intact, the auditor may be satisfied to ignore the pro¬
cessing step and audit around the computer.
The Audit Trail
The audit trail consists of documents, journals, ledgers, and
worksheets that enable an auditor to trail an original transaction for¬
ward to a summarized total or from a summarized total backward to the
original transaction. Only in this way can he determine whether the
summary accurately reflects the transactions of the business. It enables
the auditor to reconstruct each step in the process of preparing the
output from the input. In many simple EDP situations, a visible audit
trail will exist. For example, after a master file and transaction
file dump, the auditor can visibly trace the audit trail by using an
2 employee number from time clock card to employee pay checks. As the
EDP situation becomes more complex, it becomes increasingly difficult
to trace the audit trail. In an accounts receivable operation, the
sales and cash receipt transactions as well as the individual customer
•^Thomas W. Porter, Jr., "Evaluating Internal Controls in EDP Systems," The Journal of Accountancy (April, 19fc>U), p.30.
O cGuide for Auditing Data Processing Systems, loc.cit.
26
balances may be stored on magnetic tape
In a sophisticated EDP situation such as an on line, real time
system, almost the entire sphere of business information may be stored
in one of several nonvisible forms. In addition, the various trans¬
actions affecting any one operation may have entered the system randomly
rather than in a sequential batch and may be stored in a random manner.
In EDP systems an audit trail minimizes printouts because they
take up a large amount of valuable time of a computer. The major ad¬
vantage of using EDP which can be distinctly brought forward is the
fact of processing data at great speed.
This kind of method of audit trail traces the procedures involved
in converting source documents to the end product. If the auditor
can assure himself that the procedures of the system are correct, he
is, in effect, tracking the procedures of each individual transaction.
When the auditor audits around the computer, he is primarily
concerned with auditing input and output functions. However, if there
is no visible audit trail (one of the traditional "tools" of the auditor),
how will the auditor perform a procedural audit trail investigation, if
not by auditing through the computers? Finally, the matter of correct¬
ly prepared input not being accurately transferred or delivered to the
computer can be overlooked in the deaf ear approach.^
Auditing Through the Computer
With the modern development in the field of accounting and the
^Boni, op.cit., p.39.
Guide for Auditing Data Processing Systems, loc.cit.
27
progress in industry, more work has accumulated for auditors to verify
and there are accounts of companies to be certified, in respect to
maintaining the interest of the company as well as the related parties
and/or society. Electronic data processing equipment can be an import¬
ant audit tool and the auditor should know hew to use the computer and
the advantages to be gained from its use. At the same time, the problems
that will confront him while using the computer cannot be ignored.
By now it should be evident that the deaf ear approach is inadequate
in many computer applications and consideration should be given to audit¬
ing through the computer. Auditing through the computer is not a new
1 concept and was first discussed in 1955 by Samuel J. Broad. However,
the usefulness of this approach becomes more apparent each day as EDP
systems become more complex. With this approach, the auditor may apply
the logic that if there is proper control of computer operations and if
the controls and procedures used in the computer programs are effective,
the correct processing of acceptable input will result in acceptable
output.^
Inventions of new techniques and the auditing through the computer,
have focused attention on two major areas in the field of input and
processing as opposed to the deaf ear approach where the auditor is most
concerned with the area of input and output. There is a certain point
where some stages of auditing the input are identical with both approaches.
All data are necessary for a particular operation; all the information
Ifioni, op.cit., p.ifL.
Porter, "Evaluating Internal Controls in EDP Systems," loc.eifc.
28
to be entered in this system reflects upon it one way or another
during the operation.
The first area that is given major attention when auditing through
the computer is the processing function. The auditor using this approach
is concerned with examining the entire system and he definitely wants
to know how the data are produced. Much attention will be given to
the program which instructs the computer in each step taken in proces¬
sing the data. The program performs many functions previously performed
by clerical and management personnel and is a vital factor in EDP.
Once again, the auditor will be concerned with the proper application
of internal controls. There are many internal controls that will
facilitate the correct processing of data and it is the responsibility
of the auditor as well as of the management to see that these controls
are applied.
There is a reason why the auditor when auditing through the com¬
puter places less emphasis on output and more on input and processing.
The logic behind this is that if the auditor has assured himself that
there is proper internal control and that this control is indeed effect¬
ive, he does not actually have to audit the output. This is so, because
by auditing the source data from which the output is produced, he is,
in effect, auditing the output. Cerra makes the point that auditing
through the computer not only improves the scope and quality of the
audit but provides an objective appraisal of the EDP system as well as
an appraisal of the effectiveness of internal controls.^
-*■ Harold M. Cerra and James Vanderpol, "An Approach to the Examina¬ tion of Accounts Maintained on Electronic Computers," Lybrand Journal, 1963, Vol., No.U, p.15.
29
Many auditors have not yet been exposed to EDP systems and most
of those who have have worked with printed output records only and have
made little attempt to acquire any depth as to EDF operationsBefore
the auditor can audit through the computer, he must acquaint himself
with the EDP environment. The auditor must understand the concepts of
EDP, be familiar with what the computer and the peripheral equipment
can and cannot do and have a reasonable knowledge of how the various
machines function. In addition, this approach requires a thorough
understanding of the techniques of auditing with EDP and the various
methods of built-in, programmed and machine room controls. The auditor
must have some technical knowledge of EDP and the more learned he is,
the better he can function. However, it is not essential that the
auditor knows as much about the computer system as the computer system
specialist does.
With the audit of manual systems, the auditor did not require
this specialized training. Therefore, auditing through the computer
places a burden on the auditor to acquire this knowledge. However,
with this approach, the auditor can save audit time by using the computer
to help perform his audit in a twofold manner. First, the auditor
can use the computer to audit the system by applying various EDP audit
techniques and second, the auditor can use the computer as a "tool11
to audit the data produced by the system.
Summing up the EDP system and the auditor, when the objectives,
standards, and procedures and the relationship to the concepts of exist-
■^Oswald Nielsen, Cases in Auditing (Richard D. Irwin, Inc., Homewood, Illinois, 196*?), p.330.
30
ence and valuation are reexamined, the conclusion must be reached that
the computer's role affects auditing techniques significantly.
The use of the computer in evaluating the quality of the data
processing system and in determining the quality of information gener¬
ated by the system appears to provide the auditor with the opportunity
to perform a more selective and penetrating audit of activities and
procedures involving a large volume of transactions.
By developing computer audit programs that employ auditing by
exception, the auditor can cover a greater area of business activity,
both financial and operational, and can utilize scarce human resources
in analyzing and evaluating the problems areas in the client's opera¬
tions. Such an approach enhances the auditor's ability to provide
optimum service to his clients.
The computer may also require the auditor to change his thinking
about the nature and extent of testing in the examination. Integrated
data processing may require him to become more involved in the auditing
of the client's operations — not just in the client's financial and
accounting activities. Such an involvement would appear to enhance the
auditor's ability to provide increase service to his clients without a
disproportionate increase in audit time and fees. The extent of testing
may also be affected, since the computer can perform tests on an entire
file much faster than manual testing of records may provide the auditor
with information in which he was previously interested but which he found
impractical to examine bcause of fee and time limitations.
Although EDP has resulted in a changed audit environment, the
auditor cannot abdicate his responsibility to electronic specialists.
31
The auditor is the only person trained to deal with audit problems.
EDP technicians cannot and should not make audit decisions. EDP special¬
ists can help in the technical aspects of developing and using test data
and computer programs. But the auditor must determine what test data
are needed and what information is to be obtained.
EDP equipment can prove to be a very powerful tool to the auditor,
enhancing his judgment and decision-making abilities. He should attempt
to explore, with all his imagination and ingenuity, the many exciting
and interesting opportunities to use EDP to increase his professional
services.
CHAPTER IV
METHODS OF INTERNAL CONTROL
The logic and reality of the extension of the scope of internal
auditing into operations was recognized by the "Statement of Responsi¬
bility of the Internal Auditor" when it was revised in 1957* The
nature and objectives are described as follows:
Internal auditing is an independent appraisal activity within an organization for the review of accounting, financial and other operations as a basis for service to management. It is a managerial control, which functions by measuring and evaluating the effectiveness of other controls. The over¬ all objective of internal auditing is to assist all members of management in the effective discharge of their responsi¬ bilities, by furnishing them with objective analyses, ap¬ praisals, recommendations, and pertinent comments concerning the activities reviewed. The internal auditor therefore should be concerned with any phase of business activity wherein he can be of service to management.!
Underlying these activities is the concept of internal control.
Brink and Cashin define internal control as:
The design and utilization of all of the means whereby, from a financial standpoint, management is enabled most
effectively to administer the current operations, plan for the future and safeguard the company's assets. The term "internal control" refers to those controls which are set up to implement management's plans and philosophy in respect to basic business structure and operation.2
Who Does the Accounting?
Accounting is not a department. Accounting is an activity.
■^Bradford Cadmus, Operational Auditing Handbook (The Institute of Internal Auditors, New York, 196li), p.f>.
p Victor Z. Brink and James A. Cashin, Internal Auditing, 2nd ed.,
The Ronald Press Company, New York, 1998), p.26.
32
33
It is carried on throughout a business organization. There is no
clearly defined line between accounting and sales analysis; between
accounting and financial management; between accountinv and production
planning. Accounting is not only an activity, it is an approach to
managing business affairs. The accounting approach, the analytical
approach, is interwoven, to some extent, into every phase of business.■*-
Hence the objectives of the internal auditing and internal control
remain unchanged in an EDP environment; the means by which they are
implemented change in many cases. Traditionally some of the methods
of implementing internal control have been identified with division of
duties, set procedure of authorizations and approvals, verification
of arithmetical computations and approvals; however, with EDP many
p of these functions have been consolidated. For example, in EDP there
remains the basic separation between those who authorize a transaction
and those who record the accountability for the asset. However, the
means and the nature of authorization change. The authorization for a
transaction usually takes place before the event itself takes place.
Authorization for a computer to print out a purchase order to replace
inventory items below a predetermined balance is given by the line
personnel to the computer organization when the program is first
developed.
Although many of the traditional methods of insuring effective
internal control as applied in EDP will have to be audited, the advent
■'•Gardner M. Jones, "Electronics in Business," Bureau of Business and Economic Research, College of Business and Public Service, Michigan State University, 1958, 1958, p.3.
^Robert E. Schlosser and Donald C. Bruegman, "The Effect of EDP on Internal Control," Management Services (March/April, 1961;), p.ijl;.
3h
of EDP has brought new methods of internal control. With respect to
the EDP environment, both modification of traditional methods and the
new methods available can be presented within the framework of four
general areas: (1) input controls over source data being created and sub¬
sequently transferred to the computer; (2) hardware controls which are
built into the machines by the manufacturer of the equipment; (3) program¬
med controls which are written into the computer programs; and (U) machine
room controls over the activities of the computer department's personnel.
Input Controls
Input controls are procedures used to insure that all necessary
source data are received from the point of origin, are properly converted
into machine language and are correctly transferred and entered into the
computer. In addition, input controls that insure that all input data
reflect all transactions concurring and that the transactions are properly
authorized. In order to insure that source data are properly converted
into machine sensible media, the auditor should insist that a check is
made after data are keypunched. The auditor should use the verifier to
audit punch cards. The verifier operator can key the same information
from the source document. Any difference will cause the keyboard to
1 lock.
Programmed Controls
Program controls are controls that are written into and thus
are a part of the various programs that are used in the computer. These
controls are used to audit input information as well as to achieve proper
ISchlosser and Bruegman, op.cit., p.U7.
35
control during processing operations. They prevent the processing of
incomplete as well as inaccurate information. Program controls include
the f ollowing:
1. Validity checks.— Validity checks are written into the program
in order to determine that the particular data being processed are
valid and belong to the system. For example, vendor's code numbers
may extend from one to two thousand. When an invoice is processed, the
vendor's code can be checked by the computer to determine that the code
used falls within this range. If in a particular run, a code such as
19 is valid, 91 can be programmed to be an invalid code. However, where
there is a large number of codes in use, it may not be practical to check
for transposition errors.
2. Limit checks.— Prior to the 1950's, limit checks were not used
with the result that many invalid invoices and pay checks were issued.
Limit checks are often used in payroll application. A limit of $300
can be placed on each weekly payroll check that will be printed. If
a particular check exceeds the $300 limit, it can be rejected for
investigation.-*-
3. Sequence checks.— Sequence checks are made by comparing succes¬
sive records to determine that one follows the other in sequence. If
the identifying label is out of sequence or if there is a gap in the
sequence, the central processor can notify the console operator that
the error exists. The identifying labels can be sequenced voucher
numbers, customer numbers, account numbers, employee numbers, etc. In
^Richard Woods, "Development of Auditing Standards and Techniques for EDP Systems," N.A.A. Bulletin (September, 1961), p.37*
36
addition to determing numbers out of sequence, this check is also used
to detect duplicate numbers.^
k. Check digits.—A check digit is a single digit that is added
to an identification number, such as an employee number or a customer
account number, in accordance with a predetermined scheme. If an error
occurs in reproducing or transcribing the identification number, the
check digit will not remain the same. The computer is programmed to
perform an arithmetic check of each identification number as soon as it
is read by the computer and the two digits are compared. If an error
o is detected the computer can print out the invalid data.
$. Gross balance checks.—In the cross footing balance check, the
computer is programmed to cross calculate individual computations, such
as gross sales to net sales. The detail amounts are vertically added
and the totals are cross footed. Reverse multiplication can be program¬
med to check on important multiplications. Two numbers are first multi¬
plied to obtain a result and then are reversed and multiplied again.
The second result is subtracted from the first result to determine that
the final answer has a zero balance. For example, after the digital
calculation of 2 times 3 equals 6 is completed, the computer multiplies
3 times 2 and subtracts the answer 6 from the original answer 6 to obtain
a zero balance.J
•kxuide for Auditing Automatic Data Processing Systems, op.cit., pp.6-8.
p ^Norman J. Elliot, "Auditing Automated Accounting Records," The
New York Certified Public Account (September, 196k), p.655.
^Shays, op.cit., p.k9.
37
6. Record Counts.—A record is a group of related words or fields
which pertain to the same person or thing, such as ail of the informa¬
tion relating to a particular inventory transaction. Each tape should
contain a record of the number of records on that tape, and the com¬
puter should be programmed to check this total each time the tape is
read. Therefore, if a record or group of records is lost during the
transfer of data from one tape to another, the machine operator would
be alerted that the record count did not agree.
7. Label blocks.—Label blocks should be written on each reel of
magnetic tape. The label block is used to identify the contents of
each reel of tape. The computer can be programmed to check the label
block each time it uses a reel of tape to establish that the correct
reel is being used. The label block can contain the file identifi¬
cation number, date on which the tape was written, the retention period,
the reel number, if more than one reel is used for a particular file,
and a description of the file. Checking each label block can prevent
the use of an incorrect reel of tape and also prevent a tape reel from
being erased unintentionally. Not all reels of tape will require a
label block. These would not be required on tapes used for sorting
or testing purposes. Special tapes can be used for these purposes.'*'
Debugging (Computer Solution and Operation)
While auditing with an EDP system, the auditor can use the
debugging system to solve the problem of comparison of output with input
by using the conventional system. In this system the auditor should
•*~Planning for an IBM Data Processing System (International Business
Corporation, New York, January, 1961j, p.39*
38
examine any discrepancies to determine whether an error was made during
the problem definition, system analysis, system design, or coding, or
whether the present system is not producing results as accurately as
the computer.
If the problem is not being solved at the present time, appropriate
criteria against which the validity of the computer output can be judged
should be set up. As soon as all discrepancies have been accounted for
and corrected, the debugging operation may cease and full-time computer
operation may begin. (See Figure I4.)
The setting up and maintaining of appropriate criteria for the
output establishes control over the computer solution. As computer
operation proceeds and the computer output is judged according to the
specified criteria, indications for any adjustment in the system will
be fed back to the appropriate area — systems analysis, systems design,
or coding.'*'
Machine Room Controls
Control for detecting error must exist in any EDP system. How
the error should be detected depends on the program itself. It is the
duty of the auditor to find out what methods are being used by the
company. Figure 5 shows a good example of detecting an error. In
this figure, processing proceeds to point "A" where a detail card is
read into computer memory. Assuming the last card has not been read
(the last card is a "dummy” card — contains no data -- triggers an
end of job routine when read), the batch number of the card which has
Iphilco Corporation, op.cit., p.6.
FIGURE I*
Problem Definition
-t
Problem Area
Systems FULL SYSTEM OF COME UTER OPERATION
Feedback for adjustments in system
Computer Operation
Computer Solution
*
Desired Product
Source: Philco Corporation, op.cit., p. 7.
card no data
No
FIGURE 5
PROGRAM FLOW CHART
Move total Move total Move total Move tota! mdse cost transp.amt Disct.amt Net amt.to' to print to print to print print are.
Print 7 \ Type end/ totals l > \ of job /■ ^ / message^
Stop run end of job
Source :Wbhl, op.cit. ,p.35>.
hO
ill
just been read is compared to CTR (location containing batch number
currently in process). Since CTR has previously been ’‘initialized"
at zero, a condition has been forced whereby the batch number is great¬
er than CTR. This is another initialization procedure. The answer
to the question: "Is the batch number unequal to CTR?" must be yes at
this point. This condition should be true whenever the first detail
card of each batch is read. This condition triggers a branch to
point "C" where the end of batch procedures for the prior batch number
is executed.
At point "D" a decision is made as to whether or not the last
card read was a "discount" card. A "yes" answer leads to another
decision as to whether or not the discount amount was already recorded on
input card initially (see Figure 5 — discount amount should be punched
into the detail card in certain cases). If the discount amount was
initially punched into the input card, the processing will branch to
"B" where the net amount payable will be computed. If the discount
amount was not initially punched into the input card, as is usually the
case, then the discount amount is compared (merchandise cost X discount
rate); the discount amount is moved to the output punch area and pro-
1 cessing will branch to "B" for the computation of net amount payable.
It is the responsibility of the auditor to audit the ways by
which the machine room is controlled. Fraud or wrong representation
of data may exist due to a simple mistake of the employees of the
company's machine room. Following are the basic approaches which the
^Gerald Wohl and Michael D‘Angelico, The Computer in Auditing --
The Use of Test Data (Richard D. Irwin, Inc., Homewood, Illinois, 1966),
p.35.
auditor should use in his auditing procedure:
1. Special control must be established over the computer depart¬
ment's personnel to prevent any one from tampering with
results for their own benefit. The need for these types of
controls can be clearly seen in an accounts receivable applica¬
tion at a retail store.
2. "No person should control all phases of a transaction" and
"accounting and operation should be separated." In an EDP
system, application of responsibility for systems design and
programming of actual machine operations, and program maintence
and tape library operations should be separated. While separ¬
ation of responsibility and duties increase control, there are
several procedures that can be employed which the auditor should
be aware of in order to maximize internal control in the machine
room.
3. Unauthorized temporary results in the machine room may occur
before the data is actually processed by manipulation of the
computer progress. In order to prevent this, the auditor
should insist on a written stipulation that all proposed changes
be explained in writing and that authorization for the changes
be given in writing.
U. The policy should require that flow charts support all changes;
that only the systems design and programming personnel, not the
machine operating personnel, can make changes; that procedures
be established for reviewing and approving all changes and that
all correction sheets developed during the changes should be
1*3
filed as permanent records. In addition, completed pro¬
grams should be kept which state when programs are issued and
to whom they are issued.
5» Also the control must exist to prevent unauthorized access
of the console operator or any operator of the console to
intervene with the results during the actual processing of data.
The auditor should insist, if feasible, that the console opera¬
tors and supervisors have their jobs rotated from time to time.
6. A console typewriter, which is used to manually key data into
the computer, can be obtained which will print out all infor¬
mation entered into the system through the console. This
printout can be visible but also locked so as to be inaccessible
2 to unauthorized personnel.
7. There should be a reel history record for each reel of tape.
This record should show the permanent reel number, the date the
reel was received and the length of the tape on the reel. Each
time the reel is used, the librarian should record the file
identification, the date the tape was written and the date the
tape can be released for reuse.
8. Besides the necessity of proper control over the tape library,
a written procedure may be established that will list various
categories of important reels of tape, which should be duplicated
and stored in some area other than the machine room. Thus
should some disaster such as a fire occur, at least one set of
^Thomas W. Porter, Jr., "A Control Framrwork for electronic Systems," The Journal of Accountancy (October, 1965), p.60.
^Franz E. Ross, "Internal Control and Audit of Real-Time Digital Systems,"The Journal of Accountancy (April, 1965), p.51*.
tapes would be preserved.
9. Not only must the auditor assure himself that there are proper
controls over the computer department's personnel, he must also
determine that there is proper control over the maintenance of
the equipment used in the machine room.
10. The equipment manufacturers' servicemen must be provided with
adequate time to perform preventative maintenance and component
testing.
The computer audit programs presented in this chapter do not
constitute a line of limitations on which the auditor should depend
entirely. Generally the methods of auditing vary from company to
company, from one method to another. These guidelines which have
been indicated above may give aid in decision making function to pre¬
processing of data that is necessary in any normal test — of transactions
audit program. Theoretically, it is possible to extend the function of
the computer audit program even beyond this level. 'When the computerized
audit program has generated an evaluation of the business information
system of the firm and conclusions about its relative strengths and
weaknesses have been reached, auditing procedures might advance one step
further. In all auditing, after examining the system of internal
control, the auditor develops the program for the remainder of the examina¬
tion on the basis of his findings in that earlier stage. The computer
would determine how much more sampling of the system of internal control
should be done; it would also indicate the extent to which other audit
procedures and techniques should be strengthened or curtailed. Ev®nfû»
ally the audit program which is itself an information system should be as
fully integrated as the business information system it reviews. Nothing
less will afford appropriate and adequate auditing of EDP business data.
CHAPTER V
TECHNIQUES OF AUDITING WITH EDP
Auditing with EDP is based on the old traditional auditing
principle of helping the business to have a better operation. Therefore
it is the responsibility of the auditor to be familiar with the system
of internal control and he should test this system to ascertain that
it is functioning effectively. However, before the auditor performs
his audit, he should have a broad background and approach to business
problems; his training should have included courses in the humanities,
management, philosophy, practice and communications.
Following are some of the characteristics of a competent auditor:
1. Curiosity.— He should be interested in and curious about all
the operations. He should always be asking questions such as "What
is being done?" "Why is it being done?" "How dies this fit into the
business?" "Is someone else duplicating this work?" "Is there some
easier or better way?" "Do we need to do this at all?" "Does this seem
to be an efficient operation?" He should be truly interested in the
achievements and problems of the operating personnel — both subordinate
and executive. He should not be afraid to "play dumb," so as to en¬
courage others to talk freely about their work — constructive criticism
and new ideas will often be the result.
2. Persistence.—He should keep on until he satisfies himself that
he understands the situation. He should test, check or otherwise
hi
satisfy himself that things are actually done in the way that has been
described to him.
3. Constructive approach.—He should look at those matters that
seem wrong as clues, not as crimes. He should be interested in seeing
how a repitition of mistakes may be avoided and not indulge in recrimina¬
tions as to who was responsible. A mistake should be considered as a
possible guide to future improvement.
U. Business sense.— He should look at everything from the broad
viewpoint of the effect on the profitable and efficient operation of
the business. He should not be governed by dogmatic ideas as to what
is "right" or "wrong;" every situation should be appraised separately
on its own merit. When evaluating any particular area, he should
keep in mind the relationships in operation with others and with the
business as a whole. He should bring to his analysis a "bird's eye"
perspective — rather than a narrow "worm's eye" view.
5. Cooperation.—He should look on himself as a partner of —
not a rival to — those people for whom he is auditing. His objective
should be to help them — not criticize. He should work with them,
consult with them and review his recommendations with them. His concern
should be to improve the operation of the business and he should be
more interested in having improvements made than in receiving credit for
the accomplishments.
The internal auditor should be fully interested in people's pro¬
blems from their standpoint and not from a narrow auditing or protecting
control angle. When he learns and understands the problems of operating
personnel, he should bring his experience and talents to bear on con-
Ii8
structive solutions that will help the operating department and the
business as a whole.^
Computers are very accurate in that they do exactly as they are
instructed; so programmed they will invariably multiply three times
three as equal to nine. Therefore, arithmetical recomputations for
the most part do not have to be done by the auditor. This is particu¬
larly true if the computer circuitry and dual arithmetic are programmed
in important computation steps. While the auditor may be satisfied
that there will be no arithmetical errors to contend with, he may expect
other errors common to manual systems and perhaps new errors not common
to manual systems. Also, the timing or error detection and location
of error detection will generally be different in an EDP system than
in a manual one.
In an EDF environment, the auditor may encounter errors which in
manual systems may not have existed. An example of this is the negative
balance for an inventory account. This type of error would come about
if the computer posted sales of a particular item before it posted new
receipts of that item. Furthermore, in a manual system, errors could
exist for a great length of time until some event occurred which brought
them to light. With an EDP system, error detection is concentrated
and errors do not exist for any great length of time. This point can
be illustrated by the hypothetical case of an employee's address in the
personnel file being incorrect, while the payroll department's files
have the correct address of the employee. Once both these files are
merged in the storage of the computer, the two different addresses will
^Cadmus, op.cit., p.21.
h9
not match and the error will be detected. With EDP, the detection of
errors is generally concentrated as to time and place. Assuming that
the data are to be processed using a program that has previously been
tested, most errors will usually occur in the input stage of the data
flow function, and hence there will be an early detection of errors.
This is so because of the inherent nature of the computer — to process
the same type of data in the same way as it has been done previously,
until it is otherwise instructed."*"
Not only has the error environment with EDP changed, but the
techniques available for the auditor to perform his audit have changed.
The auditor can now use the computer itself to help perform the audit.
There are two phases to the audit in an EDP installation. First, the
auditor must determine the property and integrity of the system. Next,
the auditor must determine the property and integrity of the data pro¬
duced by the system.
Audit of System
Before the advent of the EDP as an audit tool, at least as far
as large organizations were concerned, the internal auditor could not
manually check enough of the millions of individual transactions and
he was limited to general comments about the reliability and complete¬
ness of information produced. However, using EDP as an audit tool, he
can now examine huge numbers of transactions and quickly determine which
are normal and correct based on the standards he has set. Cadematori
is referring to this point when he states that, "...The internal auditor
^Felix Kaufman and Leo A. Schmidt, "Auditing Electronic Records," The Controller (July, 1962), p.36^.
50
is afforded an opportunity...to efficiently restore much of the checks
of details that he was forced to retreat from in the face of the growing
size of the organization."^
The auditor must test the system of data processing to determine
the existence and effectiveness of the client's processing procedures
and programmed controls. In testing electronic systems, the auditor
should develop test data to determine exactly how a specific system will
react to a particular transaction. In effect, the auditor allows the
EDP system to do the audit itself by presenting the system with test
transactions that it cannot distinguish from operating transactions.
The auditor then evaluates the results to determine that the test trans¬
action actually was processed in the manner described to him in his
review of the system.
Figure 6 represents the processing of test transactions.
Although the diagram shows the transaction in the form of punched cards,
test transactions do not necessarily take this form. Transactions may
be introduced into the system in the form of hard copy source documents
or in machine-readable form, such as punch cards of prepunched badges
used to activate source recording devices or remote inquiry terminals in
an on line, real time system. Of course, the test data must be in
machine-readable form to be processed with the client's computer programs.
There are six steps in developing and using a test transaction:
1. Decide upon the exact point in the system where the test trans¬
actions are to be entered.
^Kenneth G. Cadematori, "An Auditor's Experience with Electronics," Internal Auditor (Spring, 1961), p.lj.
FIGURE 6
TESTING THE SYSTEM
Electronic processing Manual processing
Source: Porter, Auditing Electronic Systems, op.cit♦, p.53.
52
2. Determine the type of transaction to be included in the data.
3. Obtain the master records to (l) process with the test trans¬
actions and (2) compute the predetermined results for comparison
with the output resulting from the test processing.
U. Carefully consider the effect that the processing of the test
transactions will have on the results of the system produced
under the normal operating conditions.
5. Obtain the client's regular processing programs and be sure
that the program is used to process the test transactions.
6. Make the necessary arrangements to prepare and process the
test transactions and to get the output in the desired form.^
Reviewing a Computer Program
There are two methods by which the internal auditor may audit
the EDP system itself. These are reviewing the computer program and
using the test decks. The auditor may obtain a copy of the computer
program and all the details used to develop the program, such as flow
charts and block diagrams. He can then review all of the steps used to
develop the program to ascertain whether the program will properly pro¬
cess the data to be audited. After he has reviewed the program, the
auditor can, on a surprise basis, request a comparison of his copy with
that of a program in use in order to determine if the authorized program
is the one actually used. Furthermore, .the auditor can obtain the data
previously processed and have this data processed again, using his own
copy of the original program and compare the results. Thus, any
•^Porter, "Auditing Electronic Systems," op.cit., p.5U*
53
unauthorized intervention would be detected.
Using test decks is the most often accepted practice for auditing
the EDP system. A test deck is a series of dummy transactions which
are designed to stimulate every possible type of transaction that may
enter into the computer. The test deck is processed using the existing
computer program and the results are compared to predetermined results.
The system processes the test transactions because the system itself
cannot distinguish between the two. With test decks, the auditor is
trying to determine whether transactions will be accepted or rejected
by the EDP system, and, if they are accepted, what effect they would
have upon the end results. Before using the test deck method the auditor
should know which program controls are written into the program and develop
the test deck to challenge each of these program controls.1 The auditor
must give careful consideration to the quantities and dollar amounts
used in the test transactions so that the total test transactions when
processed will result in a predetermined figure. Using test deck to
audit the EDP system has several advantages. Test decks do not require
a very high level of understanding of computer methods, and the auditor
can easily check the results obtained. Once the test deck is developed,
it is not time-consuming to apply and can be used often. Furthermore,
there is no preparation that is needed on the part of the computer
department's personnel, and the auditor need not be concerned with changes
in the computer program as long as new changes still produce the desired
results.
^Boni, op.cit., p.l|2.
Audit of Data
The only practical approach to auditing data to be used by the
EDP system is to use the computer as a "tool" to help select the data
to be audited. The computer may be used to this end in a threefold
manner: (l) the computer may be used to obtain a statistical sample;
(2) the computer may be programmed to produce exception samples; and
(3) the computer can be used to select various activities related to
some particular factor.
Convention Audit Techniques
If all of the transactions and data handled by the EDP system
were printed out, the auditor could use conventional audit techniques
to perform his audit. However, such a complete printout would defeat
the very purpose of using the computer. In order to cope with the ever-
increasing volume of data handled, the auditor can use statistical
samplings so that he can make general statements about large quantities
of data after examinining only a small portion. The computer can be
used to fulfill the mathematical requirement of statistical sampling
and can select the sample to be used. Statistical sampling can be
incorporated into the everyday computer runs. Thus, the normal opera¬
tions of the computer department are not interrupted. The computer
than can print out sample data to be audited or can record the sample
information for future printout. Once the computer selects the sample,
the auditor then uses traditional methods to audit the sample selected.
Random Sampling
There are two methods of random sampling using a computer. The
55
auditor working together with the programmer can either supply the
computer with a random number sample or develop a program which will
instruct the computer to generate its own random numbers. The auditor
can supply the random number sample in the form of punch cards or punch
cards to magnetic tape. There are several methods of programming a
computer to develop its own random numbers. The disadvantage of this
method is that the auditor ordinarily will have to work with an exper¬
ienced programmer in order to develop a more complex computer program.'*"
Auditing by Exception
The auditor can use exception auditing similar to the way
management uses exception reporting. VJith auditing by exception, the
computer is programmed to print out items which are exceptions to the
normal. 'The auditor can then examine these items to determine if they
are valid. These types of exceptions reporting are often used when
comparisons can be made to some predetermined criteria. For example,
the computer can print cut expense account totals of all salesmen whose
expense accounts exceed a certain limit set by the auditor. This is
different from the limit checks used for internal control because with
limit checks the items are not only printed out but are rejected tempor¬
arily by the system and not processed. Exception auditing is not used
for printing out items that exceed the limit, but other items which
might need special attention by the auditor can be printed out.
Examples of these are accounts payable items with debit balances and
inventory items with negative balances.
^Arkin, op.cit., p.U6.
56
The computer can also be used to select items which are related
to some chosen factor. In an accounts receivable operation, the auditor
can use the computer to list accounts with large outstanding balances,
accounts with credit balances, accounts which have had no activity for
a predetermined period of time, and accounts oc customers which have
subsequently been determined as having poor credit ratings. In
addition, the computer can be used to calculate depreciation schedules,
to compare physically counts with recorded balance sheets, and to pro¬
vide various other types of statistical data heretofore impractical to
request because of the time involved to prepare manually.
Development of Special Computer Audit Program Internal Auditing Control Study of Lockheed Aircraft Corporation,
Atlanta, Georgia
The internal auditor of Lockheed Aircraft has developed a program
of auditing to coincide with the generally accepted principles. It
should be noted that the development of a special computer audit
program in examining EDP should be done very carefully. Each audit
staff member who participates in such an engagement should take every
opportunity to have this program developed. In initiating the develop¬
ment of this program, the auditor should plan relatively simple use of
1 the EDP equipment in accomplishing audit objectives.
Lockheed Aircraft set up these review questions to determine and
distinguish specifics, as follows:
1. Whether the company had provided the procedures in conformance
with military requirements, to ensure satisfactory quality
l"Use of Computers in Auditing," A Professional Development Course in Electronic Data Processing (Price, 'Waterhouse and Company, 1962) p.6.
57
control over the parts and assemblies produced by the "A11
and "B" fabrication organization;
2. Whether inspection personnel had an adequate and consistent
understanding of those procedures;
3. Whether inspection had been provided with adequate criteria
for the acceptance of the parts assemblies;
U. .'Jhether inspections were adequate both as to timeliness and
as to quality;
5. Whether generally adequate action had been taken to prevent
the recurrence of defects discovered; and
6. Whether the records of inspection maintained by the "A" and
"Bn fabrication inspection organization were generally accurate
and complete.
The examination of audit objectives, standards, and procedures
and their relationship to the concepts of existence and valuation
lead to the conclusion that the computer can be used as a most valuable
tool in performing audits. The auditor that audits around the computer
rather than through the computer cannot, for the most part, make use
of this important aid. The complexity of each EDP installation and the
skill of the auditor in using EDP methods will determine how and to what
extent the auditor will make use of the computer.
Howard F. Stettler, i:Systems Based Independent Audits (Prentice Hall, Inc., Englewood Cliffs, New Je’rsey, 1967), p.72.
CHAPTER VI
A SUMMING UP
Some optimists see the computer taking all the drudgery out of
human existence, freeing mankind to realize its full potential both
creatively and spiritually. On the other hand, some pessimists see
computerization as making more and more people jobless because of the
increasing requirements for specialized skills which they do not have
and never can acquire. The future probably lies somewhere in between.
However, it is essential for people in management to recognize the
inevitability, perhaps certainty is a better word, of computers and auto¬
mation in just about every aspect of our lives and to prepare to make
the best of the situation. One of the important things to understand
about computers is that they are embedded in information systems. The
computer is not an entity in itself but rather a part of something bigger,
namely, an overall information processing system in which the auditor will
have to function.
Computers might be called the "brains'* of automatic equipment —
although the term induces certain fears. While man never feared that
an automobile would render his legs less effective, he has been overly
sensitive that a computer might usurp the decision-making function of
his mental powers. Luckily that science-function fallacy is being
gradually dispelled, and computers are being appraised in their true
light — as tools men can use to extend their mental capabilities.
58
59
The computer is truly man's most remarkable tool. Just as engines
allow him to press buttons and vastly increase his physical powers
beyond the range of his muscles, computers increase tremendously
the capability of his mental processes. At present, the machines per¬
form a great many of man's mental activities; but man still has his sway
on creative thinking and imagination.
Operational auditing should be considered as an attitude — a
manner of approach, analysis and thought — not as a distinct and separate
type of auditing which is characterized by special programs and techniques.
Effective operational auditing depends more on the auditors than on the
programs. The auditor must develop his own program to meet the needs
of any operating department of the company he may be concerned with at
any particular moment. The computer will not do it for him.
Electronic transmission of data proceeds through punched cards
and nothing should be closed before noting what may eventually develop
into the principal reason for its adoption as an accounting tool. Auto¬
matic data processing was originally adopted by those business establish¬
ments having a substantial volume of transactions, and its benefits were
subsequently extended to smaller operations through the aggregation of
volume attained by service centers. Many large accounting complexes are
presently using data-phone and similar electronic communications systems,
which are capable of transmitting enormous quantities of data in almost
incredibly brief periods of time. Currently equipment lease and line
charges are so substantial as to preclude consideration of this tech¬
nique as a practical application for any but extremely high-volume
offices. However, the extension of automatic data processing as an
60
accounting tool for write-up work, with the consequent expansion of
service centers, both in size and number, in conjunction with possible
reduction in costs brought about by research and wider use, may con¬
ceivably make the use of this time-saving technique entirely practical
in the reasonably near future.
The most effective method in the modern accounting world and
one that is in keeping with the growing pace of the times, ËDP has
made self-evident to the internal auditors the need to acquire an
understanding of its basic philosophy and mechanics. The auditor
should know in general terms how a central processor functions and what
the peripheral equipment can and cannot accomplish. He must understand
how data are entered into the system and be familiar with input media
and input hardware. Once the data are in the computer, the auditor
must fully understand the general concepts of how the data are processed
and how a computer makes a decision. He must become thoroughly familiar
with the types of high speed and bulk storage devices that are avail¬
able and how storage relates to the EDP system. Furthermore, the audi¬
tor must comprehend how information comes out of the central processor and
be familiar with both the various types of output devices and the various
forms in which the information may be presented. The auditor should
understand the concepts of data documentation and flow charting. He
should be able to interpret a system flow chart and also a program
flow chart. Not only should he be able to interpret these charts but
must also comprehend the logic used in their design. It is not intended
that the auditor be competent to design complicated flow chartsj however,
he must be able to intelligently review these charts when auditing an
61
EDP system. There are other means of data documentation, such as a
program code sheet, which are written in "machine" language. It is
not necessary that the auditor has a minimum level of competence to
work with these. But the auditor should insist that the system flow
charts and the program flow charts are written in the English language
and not combined with a "machine" language chart.
The use of EDP equipment in no way lessens the auditor's require¬
ment for evaluating the system of internal control; indeed, it makes
evaluation increasingly important. The auditor must recognize the
importance of electronic procedures and the significance of the work
performed within the EDP equipment. Accordingly, he must resist the
temptation of taking the "around the computer" approach; he cannot assume
that if the input to the machine system is adequately reviewed and con¬
trolled and the output can be checked back to source documents, that he
can be unconcerned with what went on within the machine system itself.
As explained earlier, he may have to test the working of the equipment
through extended dummy transactions — through test decks, as they are
called. It is no wonder that emphasis must be placed on beginning to
use the "through the computer" approach with stress on reviewing and
testing the organizational, administrative, and procedural controls in
an EDP system.
At the same time, exclusive use of the "through the computer"
approach will rarely be applicable to an electronic system. This j_s
because both manual processing and electronic processing are found in
all systems. Accordingly, the most effective method of evaluating
controls in EDP systems, as currently found, will generally combine
62
conventional auditing procedures with procedures and tests that utilize
the power of the computer to focus upon programmed controls and exception
reporting. As a minimu, the auditor should review the organization of
EDP function to determine what the segregation between systems design
and programming personnel and computer operations is. Certainly the
auditor should also review the operating practices and documentation
in program development and computer operations to determine the extent
and effectiveness of administrative controls. In addition, the auditor
must review systems and program flow charts, exception reports, and other
documentation to understand the controls included in the client's proces¬
sing procedures as embodied in computer programs.
To evaluate the effectiveness of the client's procedural controls,
the auditor must take a fresh approach to the problem. This approach
should take advantage of the tremendous power of the computer and give
the auditor the ability to introduce truly representative transactions
into the system. Through the use of well-designed test data, the auditor
can evaluate the system's ability to handle all types of transactions,
both normal and abnormal, the kind of transactions included in the test
data being limited only by the auditor's imagination and not by time and
cost involved in obtaining the different types of transactions.
The auditor can learn much about auditing within an EDP environ¬
ment from courses, seminars, books and training programs, in order to
become proficient in this endeavor or he must learn from actual on-the-
job training. While formal study is most helpful, it cannot substitute
for practical experience. If the company is in the beginning stages of
EDP installation, the auditor, or at least one of his staff members,
63
should begin training by ensuring that he is an integral member of the
team responsible for the planning and development of the system.
Should the company already have an EDP system installed and operating,
the junior staff members will profit from working with experienced
auditors.
The internal auditor when auditing an EDP application is faced
with the problem that most of the records to be audited will not be in
visible form. Much of the data currently used in business processing
is stored on magnetic tape, and there is an increasing use of mass random
storage devices which store huge quantities of data internally. The
fact that many advanced computer systems eliminate some original documents
further complicates the problem. Also, the trend is to preserve as
little of the detailed historical data as possible because of high
storage costs. Furthermore, in an on line, real time system (OLRT,
of the future, the maintenance of an audit trail may no longer practical
because of the cost involved and the complexity of the processing.
Even the timing and location of error detection has changed.
To conclude the study, there can be no doubt that the use of the
computer has made revolutionary changes in the way in which the data
are processed. The internal auditor must reappraise his auditing ap¬
proach and techniques in order to determine whether they are adequate in
light of his own environment of operation and responsibility. It may
be said that the auditor would have to go a long way. The hardware
OLRT are only of a short period.
Looking into the distant future, it would appear that we are now
in the machine organization software period. It may be that the future
6U
historians will call it the "Babel Tower" period to remember the infinite
number of computer languages with which we are being showered. We see
coming in the future a new period when the users become programmers.
The machines will be designed to be self-programming. They will talk
into and will be talked to. We will see closed shops disappear all
over the countryside and open shops appear. We will see machines and
communication nets merge and the demarcation lines will be diffused.
What the auditor's role would be when this takes place is hard to
predict.
BIBLIOGRAPHY
Arkin, Herbert. “Computers and The Audit Test," The Journal of Accountancy (October, 1965).
Boni, Gregory. “Impact of Electronic Data Process on Auditing," The Journal of Accountancy (September, 1963).
Boni, Gregory and Van Horn, Richard L. Automatic Data Processing Systems (2nd ed.). Belmont, California: Wadsworth Publishing Company, 19b3.
Boutell, Wayne S. Auditing with the Computer. Los Angeles, California: University of California Fress, 196!?.
Brink, Victor Z. and Cashin, James A. Internal Auditing (2nd ed.). New York: The Ronald Press Company, 1956*
Cadmus, Bradford. Operational Auditing Handbook. New York: The Institute of Internal Auditors, 196l(.
Cadematori, Kenneth G. “An Auditor's Experience with Electronics," Internal Auditor (Spring, 19bl.
Cerra, Harold M., and Vanderpol, James. "An Approach to the Examination of Accounts Maintained on Electronic Computers," Lybrand Journal, Vol. hb, No.L, 1963.
Cohen, Jerome B. and Robbins, Sidney. The Financial Manager. New York: Harper & Row, Publishers, 1966.
Elliot, Norman J. "Auditing Automated Accounting Records," The New York Certified Public Account (September, 19bU).
Ferst, Stanley D. "Current Development in Auditing Procedures," The Journal of Accountancy (November, 1961)
Guide for Auditing Automatic Data Processing Systems. Department of the Air Force Comptroller (November, 1961).
Hafner, George P. "Auditing EDP," The Accounting Review (October, 196ii).
Jones, Gardner M. "Electronics in Business," Bureau of Business and Economic Research, College of Business and Public Service, Michigan State University, 1958.
65
66
Kaufman, Felix. Electronic Data Processing and Auditing. New York: The Ronald Fress Company, 1961.
Kaufman, Felix and Schmidt, Leo A. "Auditing Electronic Records," The
Controller (July, 1962).
Laver, F.J.M. Introducing Computers. London: Her Majesty's Stationery
Office, 1965.
Mapletoft, J.T. "Satisfying the Need to Know...In Real-Time," Qysterns and Procedures Journal (March/April, 1965).
McCoy, Richard W. and Anderson, John J. Computer Accounting Case.
New York, Sydney, London: John Wiley & Sons, Inc., 1966.
McRea, T.W. The Impact of Computers on Accounting. London: John Wiley
& Sons, Ltd., 196U.
Nielsen, Oswald. Cases in Auditing. Homewood, Illinois: Richard W.
Irwin, Inc., 19^5.
Philco Corporation, Government Group Computer Division. Preparing for
an Electronic Data Processing System Installation. Pennsylvania : Philco Corporation, 1961.
Planning for an IBM Data Processing System. New York: International
Business Machine Corp., January, 1961.
Porter, Thomas W., Jr. Auditing Electronic Systems : Belmont California:
Wadsworth Publiching Company, Inc., 1966.
"Evaluating Internal Controls in EDP Systems," The Journal
of Accountancy (April, 196U).
"A Control Framework for Electronic Systems," The Journal
of Accountancy (October, 1965).
Raues, Charles R. Prluso, Anthony F. and Worley, William S. IItran/3oO.
London: Addison Wesley Publishing Company, 196?.
Ross, Franz E. "Internal Control and Audit of Real-Time Digital Systems,"
The Journal of Accountancy (April, 1965.
Schlosser, Robert E. and Bruegman, Donald C. "The Effect of EDP on Internal Control," Management Services (March/April, L96U).
Shays, Michael E. "The Feasibility of Real Time Data Processing,"
Management Services (July/August, 1965)•
Sprague, Richard E. "On Line-Real Time Systems," Management Services
(May/June, 1961j).
67
Stettler, Howard F. Systems Based Independent Audits» Englewood Cliffs, New Jersey: Prentice Hall, Inc., 1967.
Thomas, Shirley. Computers. New York: Holt, Rinehart and Winston, Inc., 1965.
"Use of Computers in Auditing," A Professional Development Course in Electronic Data Processing. Price, Waterhouse and Company, 1962.
Wohl, Gerald and D'Angelico, Michael. The Computer in Auditing the Use of Test Data. Homewood, Illinois: Richard D. Irwin, Inc., 1966.
Woods, Richard. "Development of Auditing Standards and Techniques for EDP Systems." N.A.A. Bulletin (September, 196l).