If we look at the basic differences between computerised and conventional systems we will be able to appreciate the impact they have on the auditor's approach. If we revisit these differences, we can classify them as follows:
(a) The complexity of computerised systems: Usually an auditor can fully understand a conventional system in a matter of hours at the most, whereas a computerised system cannot easily be comprehended without expert knowledge and a great deal of time.
(b) A separation between the computer and the user department: The natural checks on fraud and error normally provided by the interaction of user personnel and accounting personnel no longer applies in a computer environment. This leads to a reluctance on the part of the auditor to rely on internal controls in a computerised system.
(c) Lack of visible evidence: Data in computer systems is stored primarily on magnetic discs. This information is not easy to examine. This creates problems for the auditor, it must however be appreciated that most computer installations in Kenya produce acres of print out and the auditor may be faced with too much record rather than too little. After all the management is also interested in running a business and needs these records.
(d) Most data on computer files is retained for short periods. Manual records can be retained for years. These records may be kept in a manner which makes access by the auditor difficult and time consuming.
(e) Computers systems can have programmed or automatic controls. Therefore their operation is often difficult to check by an auditor.
(f) Since programs operate automatically without personnel being aware of what the program is doing, any program with an error is likely to process erroneously for ever.
(g) Use of outside agencies: Sometimes the client uses a computer bureau to maintain their accounting records. The problems here for the auditor are in being able to examine controls and systems when access is not a legal right.
Changes in audit approach:
Systems design: In conventional systems the auditor finds out about the client's system. In a computerised system, it is advisable for the auditor to be there right from the design stage, when the systems are set out.
Timing of audit visits: More frequent visits may be required because there may be changes in systems and programs, print outs are often shredded and magnetic files overwritten. Frequent changes occur in filing order and the audit trail has to be followed while it still exists.
Systems review: This follows the normal way of using a questionnaire but is more difficult because CIS systems are more complex, technical language is used, too much documentation is available, many controls are program controls meaning that their evaluation may require detailed study of programs which are written in high level languages or in machine code, and frequent changes are made to systems and programs.
Audit tests: These will have to differ from those used in manual systems to reflect the new records being examined.
The Control File:
When auditing CIS systems, it will be found that much reliance is placed within the system upon standard forms and documentation in general, as well as upon strict adherence to procedures laid down. This is no surprise, of course, since the ultimate constraining factor in the system is the computer's own capability, and all users are competitors for its time. It is therefore important that an audit control file be built up as part of the working papers, and the auditor should ensure that he is on the distribution list for notifications of all new procedures, documents and systems changes in general. The following should be included in the audit control file.
(a) Copies of all the forms which source documents might take, and details of the checks that have been carried out to ensure their accuracy.
(b) Details of physical control over source documents, as well as of the nature of any control totals of numbers, quantities or values, including the names of the persons keeping these controls.
(c) Full description of how the source documents are to be converted into input media, and the checking and control procedures.
(d) A detailed account of the clerical, procedural and systems development controls contained in the system (e.g. separation of programmers from operators; separation of control of assets from records relating thereto).
(e) The arrangements for retaining source documents and input media for suitable periods. This is of great importance, as they may be required for reconstructing stored files in the event of error or mishap.
(f) A detailed flow diagram of what takes place during each routine processing run.
(g) Details of all tapes and discs in use, including their layout, labelling, storage and retention arrangements.
(h) Copies of all the forms which output documents might take, and details of their subsequent sorting and checking.
— The auditor's own comments on the effectiveness of the controls.