Formación profesional.

117 Many entities use decentralised ‘standalone’ computers or network systems, which are managed and operated by individuals who are not IT specialists. The use of decentralised systems though efficient for the client, may create additional problems for the auditor, who needs to confirm that the controls within the system are effective.

The following types of system may require special attention by the auditor:

i. microcomputer systems ii. on-line systems and

iii. electronic data interchange (EDI) systems.

Microcomputer systems

‘Microcomputer system’ refers to a computer system in which the entity uses a number of stand-alone ‘desktop’ computers that are located throughout the organisation.

In microcomputer systems, the auditor is faced with:

i. The difficulty of ensuring adequate physical security of the equipment.

ii. Difficulties with ensuring the security of the data and storage media (disks, tapes etc.).

iii. The risk of unauthorised amendments to program or data files, as some unauthorised persons may have access to the system. This risk can be minimised by restricting access to the computer system and to particular program files and data files through the use of passwords and user names.

iv. control risks with respect to processing and the software as programs may be written or modified by the user (one of the potential attractions to the entity of the use of microcomputer systems).

v. Non-provision of adequate documentation of the software systems by the software supplier. If this is the case, it would need to be written by the computer user.

On-line systems

On-line systems are network computer systems that allow users direct access to centrally-held data and programs. Access to the central files is through remote terminals.

On-line systems offer a number of operational advantages to entities that use them.

1. They permit the immediate entry of transactions from many different locations, instead of having to submit transactions to a central computer centre for processing. Data are input through terminals in each location for central (‘real time’) processing.

2. In the same way, centralised master files (such as master files for inventory) are updated immediately. This means that subsequent users of the system can use the up-to-date versions of master files.

3. On-line systems allow users to make inquiries and obtain immediate responses, by having access to master files or reference files. (For example, users are able to give immediate answers to customers about prices of products or the current status of their order).

In spite of these benefits to the entity, on-line systems create additional problems for the auditor who needs to assess the effectiveness of the system controls. There should be sufficient general controls and application controls to minimise the risks that arise from using on-line systems.

118 General controls in an on-line system could include the following:

a. There must be effective controls over access to the system and its files. This is because in on-line systems, transactions are processed as soon as they are input.

b. There should be controls written into the system software to prevent or detect unauthorised changes to programs.

c. Transaction logs should be used to create an ‘audit trail’. An audit trail refers to the ability of the auditor to trace a transaction through all its processing stages.

d. Firewalls should be used for systems that have access to the Internet. Firewalls are hardware or software devices that prevent unauthorised access to a system from an Internet user.

Application controls in an on-line system could include the following:

i. Pre-processing authorisation (such as logging on to the system, and the use of user names and passwords).

ii. Data validation checks in the software, to check the completeness and accuracy of processing (such as checking that a product code has been entered with the correct number of digits).

iii. ‘Balancing’ – checking control totals of data submitted from remote terminals before and after processing.

Electronic data interchange (EDI) systems

Electronic data interchange (EDI) systems are systems that allow the electronic transmission of business documents, such as invoices or payroll information, between different computer systems. The EDI system provides a form of ‘translation’ service, so that the data transmitted from one computer system is changed into a form that can be read by the other computer system, without any need for human intervention.

EDI systems may operate within the organisation (for example, the sales department may use EDI to transfer copies of customer orders electronically to a separate computer system of the accounting department), or externally (for example, a company may use EDI to submit purchase orders for inventory electronically to the computer system of a supplier).

EDI systems can improve the operational efficiency of an entity, but they may generate the following problems for the auditor who has to assess the efficiency of the system controls:

a. The lack of a paper audit trail.

b. An increased level of dependency on the computer systems of the organisation and possibly the computer systems of other entities. Any failure or control weakness in one computer system may have an impact on the computer system that is being audited.

c. There may be a risk of loss or corruption of data in the process of transmission.

d. There will be security risks in the transmission of data.

Possible controls that may minimise the risks inherent in EDI systems include:

119 i. controls over the transmission of data (such as the encryption of data before transmission,

acknowledgement systems, and the use of authentication codes for senders of data) ii. monitoring and checking of output

iii. virus protection systems

iv. contingency plans and back-up arrangements.