Auditing Online Computer Systems

Auditing Online Computer Systems

As previously reported, in March 2000 the International Audit Practice Committee (IAPC) of IFAC released an exposure draft on four topics which form a supplement to ISA (International Standard on Auditing) 401 “Auditing in a Computer Information Systems Environment (CIS).” The four topics are:

• 
  CIS Environments — Stand-Alone Microcomputers 
  
• 
  CIS Environments — On-Line Computer Systems 
  
• 
  CIS Environments — Database Systems 
  
• 
  Computer Assisted Audit Techniques
  

Contrary to the impression many people have, traditional dumb terminals still run a significant number of the world’s CIS environment. These range from terminals used by travel agents and older generation of point of sale (POS) terminals for many retail businesses, to terminals used in airline check-in counters and those used to run most of the legacy systems used in many corporations. The exposure draft describes two classes of terminals: 

• 
  general purpose terminals such as basic keyboard/screen, intelligent terminals that can perform a certain amount of data validation, and microcomputers 
  
• 
  special purpose terminals such as POS devices, automated teller machines, and voice response systems such as those used in telebanking
  

• 
  biometric devices used for authentication (for a more detailed description of biometrics, see “Application of Biometrics”) 
  
• 
  network computers such as Sun’s JavaStation 
  
• 
  Internet devices or e-appliances, such as personal digital assistants (PDAs), WebTV, i-opener, various net-phones, and net-cars (for a more detailed description of e-appliances, see “What auditors should know about e-appliances”)
  

• 
  online/real time 
  
• 
  online batch 
  
• 
  online memo update 
  
• 
  online inquiry 
  
• 
  online download/upload
  

Online batch systems are those with online data capture but batch updates.

Online memo update is defined as “On-line input with memo update processing, also known as shadow update, combines on-line/real time processing with on-line batch processing. Individual transactions immediately update a memo file containing information that has been extracted from the most recent version of the master file. Inquiries are made from this memo file. These same transactions are added to a transaction file for subsequent validation and updating of a master file on a batch mode.” According to this description, the transactions only update a copy of the master file, without affecting the actual master file. The master file is affected only when the transactions are posted later. For all intents and purposes, this form of online system is really a batch system.

Online inquiry systems restrict the user to perform queries only.

By the description in the exposure draft, online download/upload sounds like another variation of the online memo update system where the memo file is a copy of the master file downloaded to the terminal. After it is updated locally, it is then uploaded back to the original master file for updating.

The section on “Characteristics of On-Line Computer Systems” (paragraphs 18 to 22) seems to be a hodge-podge of comments without any particular focus.

Some reference should be made to auditing online transactions that involve third parties. This is particularly the case with some e-commerce sites where the online credit card processing is handled by an agent or service provider authorized by the bank external to the e-commerce site.

Overall, the exposure draft makes a good attempt to bring the standard up-to-date. The only major flaw is that it has not gone far enough to deal with an increasingly complex online e-commerce environment that provides auditors with new and special challenges.

The IAPC will accept comments and suggestions up to July 31, 2000.