How to Audit a Computerized Accounting System
The audit process for a computerized accounting system involves five main steps: conducting the initial review (planning the audit); reviewing and assessing internal controls; compliance testing (testing the internal controls); substantive testing (testing the detailed data); and reporting (conclusions and findings). The auditor(s) should reach an understanding with the client concerning the scope and limitations of the audit from the very beginning. This will facilitate the accomplishment of the audit objectives in an effective and efficient manner.
Conduct a preliminary survey of the entity. This is preliminary work to plan how the audit should be conducted. The auditors gather information about the computerized accounting system that is relevant to the audit plan, including: a preliminary understanding of how the computerized accounting functions are organized; identification of the computer hardware and software used by the entity; a preliminary understanding of each significant accounting application processed by computer; and identification of planned implementation of new applications or revisions to existing applications and applicable controls.
Gain and document an understanding of internal controls. There are two types of controls: general and application. General controls are those that cover the organization, management and processing within the computer environment but are not tied to particular applications. They should be tested prior to application controls because if they are found to be ineffective the auditor will not be able to rely on application controls. General controls include such things as proper segregation of duties, disaster plan, file back-up, use of labels, access control, procedures for acquiring and implementing new programs and equipment, etc. Application controls relate to specific tasks performed by the system. They include input controls, processing controls and output controls and should provide reasonable assurance that the initiating, recording, processing and reporting of data are properly performed.
Perform compliance testing to determine weather the controls actually exist and function as intended. There are three general approaches to compliance testing: The test data approach, where the auditor has test transactions processed through the client’s system and then compares the results to predetermined results; the integrated test facility approach, where dummy transactions are processed along with real transactions and compared to auditors predetermined results; and the parallel simulation approach, in which real transactions are processed through the client's system and also through a parallel system set up by the auditor using the same programs and the results are compared. The results of whichever of these test approaches is used should tell the auditor if the controls exist and are functioning properly.
Perform substantive testing to determine if the data is real. Auditors must obtain and evaluate evidence concerning management’s assertions about the financial statements. There are five assertions: completeness; rights and obligations; valuation or allocation; existence or occurrence; statement presentation and disclosures. The auditor uses the assertions to develop audit objectives and to design substantive tests. Substantive tests are tests of transactions and balances and analytical procedures designed to substantiate the assertions. The auditor must obtain sufficient competent evidential matter to provide a basis for an opinion regarding the financial statements under audit. If sufficient competent evidence cannot be obtained then an opinion cannot be issued.
Write the audit report to complete the audit. The audit report will contain an unqualified opinion, a qualified opinion or a disclaimer of opinion. An unqualified opinion means that the financial statements are presented fairly in accordance with generally accepted financial statements (GAAP). A qualified opinion means the financial statements are presented fairly in accordance with GAAP except for some qualifying issue. A disclaimer of opinion means that the auditor was unable to obtain sufficient competent evidence to form an opinion. Once the audit report is issued the audit is complete.