AUDITORS CHALLENGES AND MODERN WAYS FOR AUDITING ELECTRONIC DATA PROCESSING (EDP) ACCOUNTS OR FINANCIAL STATEMENTS

INTRODUCTION

INTRODUCTION

Electronic data processing is the function of planning, recording, managing and reporting business transactions by the use of computers and related peripherals. In EDP data is first taken from source documents such as invoices, revenue receipts, payment vouchers, written checks etc. There after data inputs to the computer where it is entered via the keyboard or other data entry peripherals. The entered data is then processed according to the accounting package in use; since there are different structures of modules used in sundry accounting application software, processing of the same data may differ from one package to another. As I said earlier that reporting is one of processing features, then it is apparent or undoubted that types of reports produced by different packages may vary from one system or package to another. For example some system may provide almost all basic financial reports such as

The trial balance,

The statement of financial position commonly known as the balance sheet ,

The statement of financial performance which is commonly known as the statement of income and expenditure or The profit and loss account,

The statement of cash flows,

The statement of changes in equity

These types of packages offering almost all financial reports may be said to be compatible to all types of financial processing needs and are really expensive and used in many business and non business entities.

Turning to other packages that don't offer all statements we can see that they have specific and limited applications that range from business to non business, some give only the trial balance leaving the rest of the report to be prepared by the accountant. Others give all other statement except the cash flows statement. These problem calls for the need to have the so called system analyst in organizations. These professionals have the responsibility of studying the need of the organization as refers to electronic processing data issues. They do this by doing a so called feasibility study which will be facilitated by communication with top financial executives of the organization.

Electronic data processing has merits and demerits to the society and the professionals. The following are some of the advantages and disadvantages that may be observed in every day life of our businesses.

Advantages

Fast and instant services in financial institution or banks as compared to manual data processing, as formally it used to be harder to get even your saving or current statement from the bank.

Records of Retired civil servants were not easily and readily available in the past and caused much disturbances to old people who had served in the government for many years; where as in modern electronic data processing such services are performed very fast and the retiree are free from the former troubles.

Performance in manufacturing industries and related works have improved due to inventory automated systems which controls purchases and stocks so that there is no idle cash tied into unnecessary stock pile ups.

Disadvantages

The electronic data processing systems have decreased vacancies for accountants as one person can perform the tasks that could have been done by five people. For example by entering a transaction where purchases have been bought by cash or on credit, stock will automatically be adjusted, total purchases also will be adjusted bank account if it is by cash also will be adjusted, Creditors total amount will be adjusted if the purchase was on credit and finally the financial statements i.e. financial position statement and financial performance statement and cash flows if purchase was by cash will automatically be adjusted. These are just few of activities that will be done after a simple entry of the transaction in the system by one accountant.

Electronic data processing requires more expertise and therefore a lot of money is required to be invested in IT so that the organization can run smoothly.

It is not possible to use electronic data processing without computers and where there is no steady supply of power

After discussing the merits and demerits of electronic data processing in the modern business arena lets talk a bit about some challenges facing organizations and these systems today. It is a non disputed fact that electronic data processing has today gained popularity among the majority of business organizations. However, some challenges need to be addressed before and after the organization have decided to turn from manual to electronic data processing. The first thing to be done by the organization is to ensure that it has its own Information technology policy which caters for Administration, replacement and maintenance of computers and peripherals and lastly but more significant Facilities and Access policy which will deal with Access codes and passwords. This is the remedy or answer to the challenge of security risks that I wanted to talk about. Yes, Security is a great or giant enemy of the electronic data processing systems. As some people may enter harmful programs known as viruses into the electronic data processing system and destroy important files or even running programs; likewise other unfaithful employee may access records and delete or change records to suit their interest and henceforth cause loss to the company. There are many risks but let me stop here.

For many years auditing have been performed in computer free environments, and as a result auditing have been done in manual accounting tools such as working sheets that the auditor uses to record his or her work. Control risk in manual processing and electronic processing are not the same this have necessitated the use of modern risk assessment techniques and audit. Also the use of computer assisted techniques has been brought into use as a result of the introduction of the electronic data processing in many organizations.

AUDITING AND EDP ENVIRONMENT

Meaning of Electronic Data Processing" (EDP)

Auditing in computer information system Environment CIS Environment or electronic data processing exists when an organization uses one or more computer (s) of any type or size for preparation of financial statements. While there is change in overall objective and scope of audit under CIS or EDP, the auditor will need to assess the effect of computers on (a) processing, (b) storage (c) retrieval, and (d) communication of financial information.

Under electronic data processing system, there is virtual elimination of errors such as calculation mistakes, posting errors, totaling, etc. However, any error in programming may result in serious errors and produce incorrect result.

Basic features of EDP environment

The following are the basic features of CIS or EDP environment:

(a) EDP infrastructure.

This includes hardware, operating systems and application software.

Hardware:

Hardware consists of CPU (central processing unit), Monitor, Printer, Mouse and Keyboard. One may put it to use differently, such as

i. Personal computer ( PC )-Used by individual who feeds and processes data on a single machine:

ii. Local area network ( LAN ), where there is connection between two or more computers located at a given small place, ( say, office ) to store and program any data files centrally

iii. Remote linked PCs, where location of PCs is at different places or cities, but interconnected with one another;

iv. Distributed data processing, where a mainframe computer handles main processing, and subsidiary processing takes place at decentralized processors.

v. Electronic data interchange (EDI), under which there is transfer of structured data without manual review to individual computers, sparing them the need to process the data themselves.'

Operating systems

These may be window, Microsoft (Ms) Office, Disc Operating system (DOS), LUNUX, etc. They oversee the communication of data between the computer processor and its magnetic discs, as well as the management of files and programs on the discs.

Application soft ware

This is a set of computer programs, such as TALLY, MYOB, Simply accounting, Quicken etc. that is a specially development accounting Software, including operating system, compilers, packages and user programs, which enable a particular computer centre to operate.

(b) Lack of documents and transactions trail

In manual accounting, there is a transactions trail. First, a document (voucher, invoice, receipt, etc.) originates transaction. Then, there is entry of the transaction in the original books of account (daybooks, journal, etc) Thereafter, there is posting of the transaction in the principal books (ledger, etc). Lastly, the net effect of transaction reflected in financial statements.

In electronic data processing, on the other hand, there are often no transaction creating documents and no visible transaction trail. For example, if there is direct feeding of data into computer, there may not be any physical input documents, e.g. voucher, invoice, receipt, etc. and no transaction trail. For example in an online, system, salespersons may directly feed sale transactions in the computer without any supporting documents, or there may be certain transactions generated by the system based on program instructions such as sending reminders to customers who have defaulted in payment,

Therefore, to asses how electronic data processing may influence the audit examination process, he should consider the availability of data

(a) Entered in computer,

(b) Retained in data files, and

(c) Generated for outputs.

The data may be available only in machine readable form and accessible only for a brief period.

In certain cases, the auditor may have to request the client to retain any particular data for examination. Lack of visible inputs increases the risk of errors remaining hidden, which is in direct contrast to manual accounting system where such errors are visible due to presence of physical input documents.

(c) Concentration of processing of information in few hands.

In EDP environment, only a small number of persons process the entire information. As against this, in the manual system, there is division of the same work among several persons. As a result, customary controls based on segregation of diverse functions may be absent or ineffective. Further persons operating the electronic data processing system achieve expertise as regards the sources of data, manner of processing, and generation and distribution of output. Some times they may use their exclusive control over electronic data processing systems to change the data or the program itself, to commit fraud.

Probability of such fraud is greater in organizations having systems like "Electronic Data Interchange" where almost entire data and programs are only available at the central office or few locations.

(d) Possibility of errors.

While electronic data processing reduces the risk of human errors like calculation mistakes, any error in programming may result in incorrect processing of all transactions. Moreover, in the absence of continuous check by observation of errors as in manual system, errors in electronic data processing may remain hidden for long. Further, there is also likelihood of errors if persons, without authority to access data, make changes in the stored data.

(e) Increased management supervision and effective auditing.

Electronic data processing systems makes it possible for management to review and supervise the operations of the business. This is because it will have a more effective internal control system through several analytical tools generated by electronic data processing.

The auditor can also use computerized auditing tools to make the audit examination more effective. In fact, the electronic data processing systems have in-built software and hardware controls, a feature not present in the manual system.

ADVANTAGES OF EDP SYSTEMS IN AUDITING

(a) EDP systems are more reliable.

A computers works as programmed. If the programming has taken into account all possible circumstances, the computer will work more reliably and consistently than the manual system. In the manual system, the auditor may undertake detailed checking of a number of transactions, yet certain errors and fraud may remain undiscovered. Not so in the case of electronic data processing systems. He has only to see whether there is effective internal control on programs and, if so, checking of certain significant or unusual transactions will assure accuracy in accounting.

(b) EDP system may have in-built control procedures.

With built in automatic control procedures, the electronic data processing systems will themselves indicate certain unusual or significant transactions such as, overdue payments, falling of inventory levels below the prescribed levels, etc. In manual system, the auditor will have to make extra efforts for the purpose. Prescription of "password" control in electronic data processing systems will secure the data against access by unauthorized persons. In manual system, there is always possibility of unauthorized access to accounts.

(c) Automatic updating of all relevant computer files by a single transaction.

Feeding of a single transaction in the computer will update the relevant records in all files. For example, purchase of raw materials from a single supplier will update the accounts of the supplier, purchases, and inventory. In manual system, different individuals will need to update the relevant files under their charge. Likewise, with proper programming, electronic data processing systems can perform certain tasks without human intervention. For example, generation of monthly accounts in case of credit customers will remove the need for manual preparation of accounts in individual cases.

AUDIT PROCEDURES IN EDP / CIS ENVIRONMENT

(a) Traditional approach to audit of computer-processed information.

While processing the information processed on computers, The auditor may adopt a traditional approach, assuming that the processing of information has been under the manual system, and not through computers. The only difference he notices is that the object of his audit examination is computer printouts; and not the hand-written books of account. The result is that he does not suitably modify his audit program, and carries on work as before. However this approach has certain inherent flaws. First it does not involve evaluation of internal control system relating to computers, which may result in more errors and fraud than under the manual system. Secondly, the auditor may devote unduly long time on certain audit procedures, such as checking and posting of transaction which he can avoid if an effective internal control is in place. Thirdly, it ignores the benefits of costs and risks that would be available to the auditor if he adopts techniques suitable to auditing through computers.

(b) Auditing in EDP environment.

In this case the, the auditor should evaluate the internal control relating to electronic data processing and other controls, and accordingly make extensive use of computer(s) to determine the nature, timing and extent of compliance or substantive audit procedures. However, this requires him to have adequate knowledge of computer systems to plan, direct, supervise and review the work performed by others. For this, he may himself acquire the necessary specialized skills, or hire persons suited for the job.

HOW AUDITORS SHOULD APPROACH AUDITING IN EDP ENVIRONMENT

Electronic data processing environment is an area that requires special techniques in approaching, as it is apparently risky and more technological skills is needed to the Auditor before real audit is performed. However the professional guides issued by the International Auditing Standards have disclosed several methods that have to be followed by Auditors when doing audit in specialized areas this does not exclude auditing in an electronic data processing environment. In actual fact the auditor should approach auditing in electronic data processing environment as follows:

(a) Evaluate reliability of accounting and internal control system.

The auditor should ascertain how far the accounting and internal control system of the business is reliable. To this end, he should check the following:

(I) Are there restrictions on access to electronic data processing?

The restriction should be in respect of access to hardware, program and data files. Computer room should be under the custody of a responsible official. He alone should handle program and data files. Further, he should make these available only to the persons authorized for the purpose, and keep a record of issue of program and data files. Other restriction can be by way giving password (a secret code) to authorized computers users. Yet another restriction can be through giving different rights different users, for example, some can only read data files, others may both read and alter data files, yet others may even alter program files.

The auditor should also see whether there are adequate methods of hardware control. For example, almost every computer once started itself checks the proper functioning of its various components and devices. If not it shows a message on the computer screen. If the computer system has parity check; it will show whether, due to cause such as dirty or humidity level, there is improper functioning in the transfer of data between the input-output devices. Such a flaw may cause loss or corruption of data, which the computer system itself will rectify by retrying the transfer. Computer system having a check by way of double reading of data, i.e. on a hard disc and that written to strong media, will show errors in the process.

(ii) Is there provision for timely detection and correction of errors?

Errors may arise during the feeding of data, processing, or due to any fault in the computer system. Here, the auditor should ensure that transactions processed by the computer have due authority, their recording in the computer data files is accurate, there is no loss, addition, duplication or improper change in them, and there is correction and resubmission of incorrect transactions. He should also see that there is correct use of master files, transaction files and program files. The Auditor should review the error correction procedure, as it will show proper functioning of the internal control system.

(Iii) is there arrangement for resumption of system, if interrupted?

In case of electronic data processing systems due to power failure or any mechanical fault, there should be proper arrangement for resuming the system without loosing the entries or records.

(iv) Is electronic data processing generated output accurate and complete?

Accuracy and completeness of output will depend on the accuracy and completeness of the data fed into the computer and its processing. This calls for proper input and controls. Recalculation of figures and comparing the output with manual records are other methods for the purpose. The auditor should see that there is restriction on access to processing of data such that accurate and complete output is produced, and that only authorized persons get it on time.

( v ) Is there adequate security provision for the stored data?

Because of wrong processing or due to natural or man-made reasons, there may be loss or destruction of stored data. The auditor should see that there are proper safety arrangements to secure the stored data in any such eventuality. While doing so, the auditor should also see whether there are proper backup and recovery procedures. These procedures involve keeping copies of programs and data at a place other than the place of location of the computer. Most application programs have an in-built system of maintaining two versions of computer file, the current one and the preceding one. The current version will contain alterations made during the latest processing, and the preceding one the pre-alteration version. Some computer systems even have three files, the current one, preceding the preceding version, and the version preceding the preceding version.

( vi ) Is the source code of application software in safe custody ?.

The auditor should ensure that the source code of application software is in safe custody of a responsible official. He should only allow access to it by a duly authorized person ( s ), and keep a record of the persons gaining access to it.

( b ) Assess "inherent and control" risks.

The auditor should assess inherent and control risk for material financial misstatement.

Risk Assessment and internal Control.

Risk in an electronic data processing environment may arise from the following;

There may not be adequate procedures to control program or system change.

Hardware or software malfunctioning may remain undetected.

During transmission, there may be loss or corruption of data.

Computer facilitates, files and program may be available to unauthorized access.

Users may not participate fully in review-output, to ensure its reasonableness and maintaining responsibility for authorization.

( c ) Effect of inherent and control risk.

Inherent and control risk in electronic data processing environment may have either all round effect on all accounts, or account specific effect.

( I ) Risk having all round-effect on all accounts:

It may arise from deficiencies in program development, system soft ware support, physical electronic data processing security, and control over access to special privilege utility programs. These deficiencies will affect all application systems processed in computer and result in material misstatement in financial statements.

( ii ) Account specific risk:

Account specific risks may result in fraud and errors such as the summarized real cases resulted from inherent and control risks:

a) The Trolley Dodgers case- Control deficiencies in payroll transaction cycle allowed an accounting manager to embezzle several hundred thousand dollars.

b) Goodner Brothers, Inc An employee of this tire wholesaler found himself in serious financial trouble. To remedy this problem, the employee took advantage of his employer's weak internal controls by stealing a large amount of inventory which he then sold to other parties.

c) Troberg stores- An important but commonly overlooked internal control objective is ensuring compliance with applicable laws and regulations The management of this company violated the provisions of a national statute, imposing a heavy monetary cost on the company in the process.

AUDIT TECHNIQUES

( a ) Audit objectives remain the same whether processing of data is manual or computerized.

While designing audit procedures in electronic data processing environment, the auditor should keep in mind two things:

1) Ensure that there is adequate compliance and substantive procedures and transmitted data are correct and complete

2) Apply professional skepticism by cross verification of records, reconciliation between primary and subsidiary ledgers, questioning and critical assessment of audit evidence. The procedures adopted for the purpose may be manual, by way of computer-assisted audit techniques, or on combination of both.

Auditing "around" or "through" computers

In an electronic data processing environment, an auditor may carry out compliance procedures and substantive tests of transactions with the help of computers, or without it. If he conducts the audit in a traditional manner by examining the data and information generated by computer system of the client it will be auditing around the computer. In this case, the auditor only relies on the data and information printouts given to him by the client.

On the other hand, if the auditor himself uses computer system to carry out compliance and substantive test procedures, it will be auditing through the computer. However, this will require the auditor and / or his staff to possess adequate knowledge of electronic data processing.

(b) Computer assisted audit techniques.

These may be as follows:

1. Test data:

They represented a set of test data prepared by the auditor himself, or by using any such data prepared by the internal auditor of the client. Test data comprise transactions of all kinds prepared specifically to test a program or a set of programs of the client. To evaluate the effectiveness of the client's program (s), the auditor may run his test data on the client's computer using the programs of the client himself.

Use of test data serves as an assurance about the correct functioning of tested programs. However, its limitation is that preparation of the test data requires care and expertise on the part of auditor. For example, it will involve selection of the type of master files or records (ledger like records where there is continuous updating through transaction records), e.g. processing of a test transaction showing receipt of payment from a debtor will reflect in the file that contains records of sundry debtors. More over, the test data should cover all types and variations, whether they are actual data used by the client, or certain modifications, to ascertain that the client's program includes necessary controls.

For control purposes, the auditor should maintain proper working papers regarding the use of test data. Working papers should show the programs put to test, and the results-both expected and actual. He should also ensure that the programs tested are those actually used by the client, and that actual records remain unaffected by the tests used by him.

2. Modified test data facility

It is a simulated form of a test data technique. Under it, the auditor creates artificial transactions, processes them along with normal processing of actual transactions of the enterprise, and compares the results of the two. This will expose whether the processing done by the enterprise is correct. However, employees operating the electronic data processing system in the enterprise should know nothing about this exercise.

3. Audit software

The auditor may use audit software specially developed for a particular audit or, more often, generalized audit software (GAS) Design of audit program created for a particular audit will serve the needs of testing the audit programs of the client. On the other hand, generalized audit software will perform certain common data processing functions, like checking calculations, examining the correctness of records, comparing client records with the data obtained through other procedures, summarize or rearrange data, selecting samples, etc.

Documentation

As evidence of proper planning and organization of his examination, the auditor should document the following:

His audit plan;

Nature, timing and extent of audit procedures performed by him;

Conclusion drawn from the evidence obtained; and

Safe storage of the evidence in electronic form.

Audit planning

Planning the audit for an electronic data processing environment client is not expected to be the same as planning the audit for the manual data processing client. The auditor is required to measure the usefulness and existence of reliable controls in the system before he or she start auditing. In electronic data processing environment an IT environment check list will have to be used together with interrogating the client main IT executives.

Important issues to be assessed regarding the whole of information technology field which comprises data processing systems are listed and elaborated in the schedule below:

1.Procedure: Find out the process to register new users to the system.

Inherent risk: Illegal access to components.

2 Procedure:Examine the reliability of the procedures taken when a previous user is required to leave or stop using the machine.

Inherent risk: Previous user still have access to the system

3. Procedure: Find out whether access to the computer room is free to any person

Inherent risk: Unauthorized personnel and visitors may enter the computer room for malicious motives

4.Procedure: Investigate whether there is any rotation of staff ( segregation of duties) in system operations

Inherent risk: There may be fraud attempts by non changed staff.

5.Procedure:Using the organizational chart verify the existence of job description in IT positions in the entity

Inherent risk: Staff may be performing other people's duties involuntarily.

6.Procedure: Find out whether internet downloading and other uses of the internet is restricted to safeguard entity's information.

Inherent risk: Virus penetration into the system is simple due to uncontrolled internet activities

7.Procedure:Investigate to be sure that, the use of anti virus programs is present, there is safe storage of backups which are frequently tested to identify irrelevant backups

Inherent risk: Restoration of data is not possible when misfortunes occur.

Nature, timing and extent of audit procedures

It is customary for Auditors to perform timing and design of audit procedures that are supposed to suit the audit they need to execute. This is important because the audit evidence obtained after audit need to have relevance to the audit report issued. The relevance so mentioned is verified by reviewing the documentation of nature, timing and extent of procedures employed in the audit; this is done in a process called quality review.

Conclusions drawn from the evidence obtained

Conclusions drawn by the Auditor are the final output of the audit which when presented in a formal and standardized manner is called an audit report. Conclusions such as these need to be documented systematically and in a way that another auditor who have not participated in the audit should be able to use them in reporting without the need of more elaboration from the auditor involved in the audit.

Safe storage of the evidence in electronic form

After completion of the audit and collection of relevant and sufficient audit evidence it is advised that the Auditor should store the evidence so obtained in a safe storage and which is expected to be in electronic form. This may be put in disc storage devices which are not easily affected by viruses and not easily altered.

Reference:

1) Principles and Practice of Auditing .By Dinkar Pagare. Eleventh edition 2007-Sultan Chand & Sons.

2) Handbook of International Auditing Standards by IFAC

3) Contemporary Auditing Real issues & Cases. By Michael C.Knapp. Fifth edition , Copyright 2004

Prepared by: Charles Mwazembe Email: mwazembec@yahoo.comSchool of Business and EconomicsSubmitted as partial fulfillment of academic requirements for Atlantic International UniversityLink to the University: http://www.aiu.eduAUDITORS CHALLENGES AND MODERN WAYS FOR AUDITING ELECTRONIC DATA PROCESSING (EDP) ACCOUNTS OR FINANCIAL STATEMENTSBy: Charles Mwazembe

POST COMMENT

Personal Injury Lawyer - An Indispensable Legal Assistance! Personal Injury Lawyer Ny Is The Best Help In Case Of Accidents Brain Injuries Lawyers Car Accident Solicitors Car Injury Claims Head Injury Lawyers Leasing The Best Pick Up Trucks A Guide To Green Driving Is There A Formula For Determining The Amount Of A Personal Injury Settlement? California Personal Injury Claims - Part 1 Of 2 Be Safe From Unfortunate Events With Personal Injury Attorneys Personal Injury: Personal Injury Attorney Services At Competitive Rates Warm Up Properly And Avoid Injury