AUDITING COMPUTERIZED ACCOUNTING INFORMATION SYSTEMS When computers were first used for accounting data processing functions,

the typical auditor knew very little about automated data processing. The basic auditing approach, therefore, was to follow the audit trail up to the point at which accounting data entered the computer and to pick these data up again when they reappeared in processed form as computer output. This is called auditing around the computer. It assumes that the presence of accurate output verifies proper processing operations. When auditing computerized AIS, an auditor should follow the audit trail through the internal computer operations phase of automated data processing. This approach, auditing through the computer, attempts to verify that the processing controls involved in the AIS programs are functioning properly. Five techniques that auditors use to audit a computerized AIS are: 1. use of test data, integrated test facility, and parallel simulation to test programs 2. use of audit techniques to validate computer programs 3. use of logs and specialized control software to review systems software 4. use of documentation and CAATs to validate user accounts and access privileges, and 5. use of embedded audit modules to achieve continuous auditing. TESTING COMPUTER PROGRAMS Three techniques: 1. Test Data 2. Integrated Test Facilities 3. Parallel simulation Test Data It is the auditors responsibility to develop a set of transactions that tests, as completely as possible, the range of exception situations that might occur. These transactions are called test data. Examples of test data include invalid characters, invalid signs, invalid codes, or invalid range of dates. Parallel simulation The auditor creates a second system that duplicates a portion of the clients system. The auditors system runs at the same time as the clients system and then he can compare the processing and outputs from their own system to the clients system. Differences between the auditor and the clients processing and output indicate problems on the clients system.

VALIDATING COMPUTER PROGRAMS Several procedures may be used in validating computer programs including: Tests of Program change Controls Program comparisons Test of Program Change Controls Program change controls are internal control procedures developed to protect against unauthorized program changes. Sound program change control requires documentation of every request for application program changes. The basic procedures in program change control include testing program changes and obtaining proper authorizations as programs move from a testing stage to actual production (live) use. The auditors responsibility is to ensure that a companys management establishes and executes proper authorization procedures and that the companys employees observe these procedures. A test of program change controls begins with an inspection of the documentation maintained by the information processing subsystem. Responsibility system of computer program development and maintenance in an organization includes Creating flowcharts of the organizations change control processes The organization should also have program authorization forms that include the name of the individual responsible for the work and the signature of the supervisor responsible for approving the final programs. ((these authorizing signatures affix responsibility for the data processing routines and ensure accountability when problems arise)) The chief purpose of a responsibility system at the computer center is not to affix blame in the event of program failures but to ensure accountability and adequate supervisory controls in the critical area of data processing.