Auditing Online Computer Systems



Download 17.77 Kb.
Date09.06.2018
Size17.77 Kb.
#54024
Vol. 3, July 15, 2000

Standards

Auditing Online Computer Systems


By John Yu, CDP, FCGA

As previously reported, in March 2000 the International Audit Practice Committee (IAPC) of IFAC released an exposure draft on four topics which form a supplement to ISA (International Standard on Auditing) 401 “Auditing in a Computer Information Systems Environment (CIS).” The four topics are:



  • CIS Environments — Stand-Alone Microcomputers 

  • CIS Environments — On-Line Computer Systems 

  • CIS Environments — Database Systems 

  • Computer Assisted Audit Techniques

In a previous article, I reviewed the exposure draft on standalone microcomputers. In this article, I’ll review the exposure draft on On-Line Computer Systems.

Online computer systems
The exposure draft defines online computer systems as computer systems “that enable users to access data and programs directly through terminal devices…” This definition is sufficiently broad as to cover all forms of online systems, including the traditional smart server/dumb terminal variety, as well as the client/server variety because the definition covers all possibilities.

Contrary to the impression many people have, traditional dumb terminals still run a significant number of the world’s CIS environment. These range from terminals used by travel agents and older generation of point of sale (POS) terminals for many retail businesses, to terminals used in airline check-in counters and those used to run most of the legacy systems used in many corporations. The exposure draft describes two classes of terminals: 



  • general purpose terminals such as basic keyboard/screen, intelligent terminals that can perform a certain amount of data validation, and microcomputers 

  • special purpose terminals such as POS devices, automated teller machines, and voice response systems such as those used in telebanking

While these two classes cover a number of terminals used in online systems, they fail to recognize many more modern (and advanced) terminals. The following are some examples of devices used in online systems not covered by the definitions in the exposure draft: 

  • biometric devices used for authentication (for a more detailed description of biometrics, see “Application of Biometrics”) 

  • network computers such as Sun’s JavaStation 

  • Internet devices or e-appliances, such as personal digital assistants (PDAs), WebTV, i-opener, various net-phones, and net-cars (for a more detailed description of e-appliances, see “What auditors should know about e-appliances”)

All these devices operate in an online environment as “terminals.”

Types of online systems
The exposure draft suggests five types of online systems: 

  • online/real time 

  • online batch 

  • online memo update 

  • online inquiry 

  • online download/upload

Online/real time systems are the classic online systems where transactions update the master file immediately.

Online batch systems are those with online data capture but batch updates.

Online memo update is defined as “On-line input with memo update processing, also known as shadow update, combines on-line/real time processing with on-line batch processing. Individual transactions immediately update a memo file containing information that has been extracted from the most recent version of the master file. Inquiries are made from this memo file. These same transactions are added to a transaction file for subsequent validation and updating of a master file on a batch mode.” According to this description, the transactions only update a copy of the master file, without affecting the actual master file. The master file is affected only when the transactions are posted later. For all intents and purposes, this form of online system is really a batch system.

Online inquiry systems restrict the user to perform queries only.

By the description in the exposure draft, online download/upload sounds like another variation of the online memo update system where the memo file is a copy of the master file downloaded to the terminal. After it is updated locally, it is then uploaded back to the original master file for updating.

The section on “Characteristics of On-Line Computer Systems” (paragraphs 18 to 22) seems to be a hodge-podge of comments without any particular focus.



Internal control issues
As can be expected, this exposure draft devotes significant time to internal control issues. In fact, two topics (“Internal Control in an On-Line Computer System” and “Effect of On-Line Computer Systems on the Accounting System and Related Internal Controls”) are devoted to these issues. While the coverage of internal control issues is reasonably comprehensive, the placement of certain paragraphs seems odd at times. For example, under the second topic, I found a passing reference to risks of viruses. The issue of risks associated with viruses should be given more prominent coverage under the general discussion of internal controls rather than specifically on accounting system controls. Coverage of firewalls and hacking should also be strengthened.

Effect of online systems on audit procedures
The exposure draft makes the point that it is “more effective for the auditor to perform a pre-implementation review of new on-line accounting applications than to review the applications after the installation.” Here, the focus is on “on-line accounting applications,” and seems rather narrow. Increasingly, e-commerce businesses are relying heavily on online sales systems that are focused on the sales and marketing side of the business, and yet such sales and marketing applications are more important to the business than the accounting applications, which the auditors ignore to their own peril. In any case, often, auditors need to audit online systems after they are implemented, playing no part in the implementation.

Some reference should be made to auditing online transactions that involve third parties. This is particularly the case with some e-commerce sites where the online credit card processing is handled by an agent or service provider authorized by the bank external to the e-commerce site.

Overall, the exposure draft makes a good attempt to bring the standard up-to-date. The only major flaw is that it has not gone far enough to deal with an increasingly complex online e-commerce environment that provides auditors with new and special challenges.

The IAPC will accept comments and suggestions up to July 31, 2000.





Download 17.77 Kb.

Share with your friends:




The database is protected by copyright ©ininet.org 2024
send message

    Main page