If we look at the basic differences between computerised and conventional systems we will be able to appreciate the impact they have on the auditor's approach. If we revisit these differences, we can classify them as follows:
- The complexity of computerised systems: Usually an auditor can fully understand a conventional system in a matter of hours at the most, whereas a computerised system cannot easily be comprehended without expert knowledge and a great deal of time.
- A separation between the computer and the user department: The natural checks on fraud and error normally provided by the interaction of user personnel and accounting personnel no longer applies in a computer environment. This leads to reluctance on the part of the auditor to rely on internal controls in a computerised system.
- Lack of visible evidence: Data in computer systems is stored primarily on magnetic discs. This information is not easy to examine. This creates problems for the auditor, it must however be appreciated that most computer installations in Kenya produce acres of print out and the auditor may be faced with too much record rather than too little. After all the management is also interested in running a business and needs these records.
- Most data on computer files is retained for short periods: Manual records can be retained for years. These records may be kept in a manner which makes access by the auditor difficult and time consuming.
- Computers systems can have programmed or automatic controls: Therefore their operation is often difficult to check by an auditor.
- Since programs operate automatically without personnel being aware of what the program is doing, any program with an error is likely to process erroneously for ever.
- Use of outside agencies: Sometimes the client uses a computer bureau to maintain their accounting records. The problems here for the auditor are in being able to examine controls and systems when access is not a legal right.
Changes in audit approach:
Systems design: In conventional systems the auditor finds out about the client's system. In a computerised system, it is advisable for the auditor to be there right from the design stage, when the systems are set out.
Timing of audit visits: More frequent visits may be required because there may be changes in systems and programs, print outs are often shredded and magnetic files overwritten. Frequent changes occur in filing order and the audit trail has to be followed while it still exists
Systems review: This follows the normal way of using a questionnaire but is more difficult because EDP systems are more complex, technical language is used, too much documentation is available, many controls are program controls meaning that their evaluation may require detailed study of programs which are written in high level languages or in machine code, and frequent changes are made to systems and programs.
Audit tests: These will have to differ from those used in manual systems to reflect the new records being examined.