Audit Trails and Controls

Since one of the objectives of an audit is to determine whether the financial statements are free of material misstatement, an auditor must evaluate the risk of material misstatments resulting from inappropriate use of the client's computer. Audtitors must carefully assess how maintaining accounting records on a computer affects control risk.

Prior to using evaluating the outputs of a system, the accountant should assess the internal controls associated with the system, and establish the procedures and controls that are suitable for this virtual environment. [Russel, 1997]. Essential to the accountant's understading of the internal control structue in a computerized environment is an understanding of the extent of reliance on the computer for critical accounting functions. In a computerized environment, controls must be considered for all aspects of a transaction including inputs, processing, outputs, and data storage.

Some examples of these controls are that data processing should be separate from users, and prohibited from intitiating or authorizing transactions; functions within data processing - such as programming, safekeeping of records- should be separated. A good system will provide an adequate audit trail to trace transactions from interception to their final disposition. Data will be reasonably protected from accidental and malicious contamination. Software used for processing will be protected from alteration or substitution throughout the period under audit.

Programs should be documented to facilitate later review and maintenance. Testing should be done by individuals independent of those writing the application to reduce the frequency of errors and the possibility of irregularities occuring within the program.

After evaluating the internal control environment and testing controls to be relied upon, the accountant will assess the adequacy of the controls in protecting the accounting information from errors.

In real time systems, employees at terminals record transactions directly into the system as they occur. Many real time systems are making extensive use of electronic data interchange (EDI), where information is transmitted directly from one entity to another. With the increasing use of real-time systems, communication systems that feed data to various parts of the system become critical to effective system operation. When communication lines are used, specially lines outside the entity, the potential exists for others to intercept and modify data. Therefore, an entity's controls to ensure the existence, validity and completeness of record transaction are significant to auditors.

Computers have the potential advantage of reducing the amount of paper used in performing routine accounting functions. As the volume of paper is reduced, the audit trail may become difficult to follow or disappear altogether. When computer files are relied upon for the storage of critical documentation, internal controls must be adequate to insure reliability of the information. Adequate backup is also essential to reduce the risk of losing critical information.

References

[Russell] "How e-commerce is changing the way we do business". Technology & Computer. v65, pS8 [back to text]