The Role of Using Information Technology in Enhancing the Quality Of Auditing Services in Gaza strip

boilermakerwrapperElectronics - Devices

Nov 8, 2013 (3 years and 9 months ago)

295 views


ةيملاسلإا ةعماجلا


ةزغ

ةيلك
ةراجتلا

سق
م
ةبساحملا


Islamic University


Gaza

Faculty of Commerce

Department

of Accounting




The Role of Using Information Technology in
Enhancing the
Quality

Of Auditing Services in Gaza strip


A Graduation Project Proposal

Presented to the

Faculty of Commerce

The Islamic University of Gaza


By

Student : Osama Mahm
o
ud
E
l
-
Hindi (120080987)

Student: Mahm
o
ud Jawad
E
l
-
Helou (120082255)



Supervisor


DR.
Salah shubair



Gaza strip

1





نمحرلا هللا مسب
ميحرلا


{
و

َ
ع
ْ
م
َ
سلا
َ
ن
ِ
إ
ٌ
م
ْ
ل
ِ
ع
ِ
ه
ِ
ب
َ
ك
َ
ل
َ
س
ْ
ي
َ
ل ا
َ
م
ُ
فْق
َ
ت
َ
لا

ً
لاو
ُ
ؤ
ْ
س
َ
م
ُ
ه
ْ
ن
َ
ع
َ
نا
َ
ك
َ
ك
ِ
ئـلو
ُ
أ
ُ
ل
ُ
ك
َ
دا
َ
ؤُف
ْ
لا
َ
و
َ
ر
َ
ص
َ
ب
ْ
لا
َ
و
}
ءارسلإا ةروس







2


Dedication:


For Our Palestine…


For Our University…


For Our Teachers…


For Our Family…


We Present This Research…



Acknowledgment:

3


-

First of all, we thank Allah for helping us to complete
our Research.

-

Our ability to accomplish this research is due to the
good effort provided by our great university IUG.

-

We thank very much our parents, who were granted
everything in their life for us, and also we thank them
for push us to success.

-

We would like to thank Mr. Salah Shubair for his
advice and continuous supports.

-

For all our teachers at IUG and for the IUG l
ibrary
staff.

-

We would like to express our personal gratitude to all
auditing offices in Gaza strip .

-

Finally, thanks for
everyone

who contributes in any
way to support us.



List of content:

Averse OF Quran
……………………
………
..
……
..
……
1

4


Dedication
………………………………………
..
……

……
..
…..
2

Acknowledgment
………………………
..
……

……..

..
……
3

CHAPTER 1: RESEARCH PROPOSAL :


ABSTRACT

................................
................................
...............................

7

INTRODUCTION

................................
................................
.....................

7

RESEARCH PROBLEM

................................
................................
...........

8

RESEARCH IMPORTANCE
................................
................................
...

8

RESEARCH OBJECTIVES

................................
................................
.....

9

RESEARCH HYPOTHESIS

................................
................................
....

9

SCOPE AND LIMITATIONS OF THE RESEARCH
............................

10

RESEARCH METHODOLOGY

................................
............................

10

TIME TABLE AND BUDGET

................................
...............................

11


CHAPTER 2: LITERATURE REVIEW :

BRIEF HISTORY OF AUDITING
……………………………………
14

AUDITING DEFINITION

…………………………………………….
19

THE IMPORTANCE OF AUDITING
………………………………
.
20

THE TYPES OF AUDITS
…………………………………………….
24

TYPES OF AUDITORS
………………………………………………
26



CHAPTER 3:
AN INTRODUCTION TO COMPUTER
AUDITING :

5


IMPORTANCE OF INFORMATION TECHNOLOGY
…………………
28

INTRODUCTION
……………………………………………………
.
…………
29

SYSTEMS UNDER DEVELOPMENT
…………………………
.

.
………
34

LIVE APPLICATIONS
…………………………………………
..
……………
44

IT INFRASTRUCTURE
………………………………………

……
.
………
47

AUDIT AUTOMATION
……………………………………
…..
……………..
61


Chapter 4 : applied case on auditing offices of Gaza
strip
………………………………………………
………………………..
…..
64

Chapter 5 :
RESULTS AND
RECOMMENDATIONS

R
esults
……………..
…………………………
……………………………………
82

Recommendations
………………………………
…………
…………………...
83


References
…………………………………………
.

………..
…………
84

Appendix
…………………………………………
……………
……………..
86









6




CHAPTER 1 :


RESEARCH
PROPOSAL


ABSTRACT

7


The using of computer
during the past twentieth years in auditing process was greatly
spread to introduce the best services to clients and to immediate performance for audit
work, according to the increase of financial transaction in the large establishments, the
increase of it
s details and accuracy. This demands from the external auditor to obtain
a sufficient understanding of accounting data and the environment of information
systems which use computer, defining the effect of this environment on the inherent
and control risks,

designing and executing the suitable control tests and the
substantive procedures to reduce the audit risks to the acceptable level.


INTRODUCTION

A key feature of many organizations today is change.Although not necessarily the driver of
change, IT is
invariably an intrinsic component and much of the change would not be
possible without IT. IT has had a major impact on social, economic and political factors
throughout the world. Not only has it led to

the creation of new professions but it has also
revolutionized others, such as office work, or, when combined with robotics,
manufacturing industries. Computer audit operates in a climate of constant and rapid
change. Computer auditors are continually faced with the prospect of faster, smaller and
cheap
er IT systems. An analogy that is frequently used to describe the rapid development
of IT, is if aviation had developed at the same rate, man would havelanded on the moon in
1922. IT is a dynamic area which in turn, requires a dynamic and flexible control
structure.


In fact, the accounting aims to provide the organization's management with necessary
information for all activities of the entity (that is relat
ed to the results of operations
,
financial position and cash flows at the end of the fiscal period)

and this informati
on is so
important for planning
, controlling,

taking the appropriate decisions and to save the
organization's asset from theft
, embezzlement

and so on
. During

the last twenty years

of the
twentieth century,



The emergence of

corporation
s and holding companies leads to increases in produc
tion
,
marke
ting and financial transactions
.
T
his increases create the need for using high
-
techniques in processing financial data and auditing processes

instead of traditional
methods
,

so the use of computer for data processing purposes is so important because of
more reason
s such as: timing and accuracy
, this reasons emphasize the use of

computer in
auditing processes. the ISA number
(401) show that the auditor must consider the electro
nic
information system during the audit procedures in order to reduce the risks that may be
generated in auditin
g processes at reasonable level
.
In later years
, the use of computer for
a
uditing spread around the world
, but we find out that the use of compu
ter techniques for
auditing in Gaza strip faces more problem
s
: (1)Israeli siege and bad financial situations in
Gaza strip resulting to the lack of material capabilities (2) the lack of familiarity of audit
offices in Gaza strip about the use of computer
techniques in audit (3) the clients (audited
companies) do not corporate with or help audit offices in using computer techniq
ues (or IT)
in auditing process,
so we will show in this research the importance of using computer in
audit as well as the role of
universities and organizations to enhance the efficiency and
effectiveness of audit
ing services in Gaza strip only
.


8


RESEARCH
PROBLEM

we can summarize the problems as following :


1.
Israeli siege in Gaza strip resulted to the lack of material capabilities and then there are
more Obstacles of using computer techniques and information technology by auditor to
end
his job in acceptable level
.


2.

T
he lack of experience and knowledge in
using the computer techniques and programs
that are

designed to make audit process
.


3. C
urrently
, there are no courses that emphasize the use of c
omputer programs for auditing
which is called now (IT audit) or (E
-
audit)) provided by universities or entiti
es in Gaza
strip.


4. T
here are no uses for quality and typical measures provided for computer by audit
offices in Gaza

strip
.


5.
T
here are no uses for advanced facilities provided by compu
ter and its software
techniques
.



RESEARCH IMPORTANCE

In our

research
, information technology audit (or using computer for audit) is
very
important for all auditors
, audit offices and accounting department students and graduators
in Gaza

strip
.
T
his importance increases with the advantages and facilities provided b
y IT
audit for more reasons:


1.
The role of information technology (IT) control and audit has become a critical
mechanism for ensuring the integrity of information systems (IS) and the reporting of
organization finances to avoid and hopefully prevent
future financial fiascos such as Enron
and WorldCom. Global economies are more interdependent than ever and geopolitical risks
impact everyone. Electronic infrastructure and commerce are integrated in business
processes around the globe. The need to contro
l and audit IT has never been greater.


2.
T
o evaluate the system's internal control design and effectiveness. This includes, but is
not limited to, efficiency and security protocols, development processes, and IT governance
or oversight.


3.
IT audit is c
haracterized by speed and accuracy
.


4.
T
o make audit profession in Gaza strip more efficient and effective .

In addition
, this research claims all universities (specially , accounting department of
Islamic university ) to include courses talking about IT audit in depth in order to enhance
the use of IT in auditing as well as to make audit profession in Gaza str
ip more effec
tive
and efficient
.

9



RESEARCH OBJECTIVES

The main objective is
:


To show the role of IT in enhancing the quality of auditing services provided by audit
offices in Gaza strip.


The secondary objectives are
:


1.
T
o show the importance and characteristics
of IT audit
.


2.
T
o show the process and procedures in which IT audit can be done effectively and
efficiently.


3.
T
o show the problems and obstacles that stand against the use of IT audit and computer
techniques in Gaza strip
.


4.
T
o find out potential
solutions to solve those problems faced by auditors.


5.
T
o show the role of Gaza strip universities in enhancing the quality of audit services
provided

by audit offices in Gaza strip
.


RESEARCH HYPOTHESIS

H0
:
T
here is no relationship between IT and t
he
quality of auditing services
.


H
1
:
T
here is relationship between IT and the quality of auditing services
.


H2:
T
here is relationship between the age and the quality of auditing services.


H3:
There is relationship between
educational qualification

and the quality of auditing
services.


H4:
There is relationship between
practical experience

and the quality of auditing services.




RESEARCH SCOPE AND LIMITATIONS

10


There are multiple limitations defined that may face the researchers during doing their
study

and they have to try minimize the effect

of

these limitations to be able to
achieve the objectives

of this study:

1.
First, in this study the researcher may face some problems that may hinder
the research process concerning limitation of resources
and information as not
all information are easily accessible.


2.
Second, time restriction that the researchers will face, this study must be
completed within two months, which mean that they have to work hard to
collect data, analyze these data and reach
the targeted objectives within a short
period.


3. T
hird
, this research require statistical studies showing the facts and
problems around audit profession in Gaza strip.




RESEARCH METHODOLOGY


The two researchers will use the descriptive analytical approach to complete the study
which depends on describing and demonstrate the importance of use IT in enhancing
auditing services in Gaza

strip
. Sources to collect information:




Primary sources:

1.
Previous researches.

2.
Related websites.




Secondary sources:

1.
Related books.

2.
Magazines and periodicals.


RELATED WORKS



India
-
Office of the Comptroller and Auditor General (
Information
Technology Audit: General Principles
.

(IT Audit Monograph Series #
1):
(Controls in a computer informati
on system reflect the policies,
procedures,
practices and organizational structures designed to provide reasonable assurance
that objectives
will be achieved. The controls in a computer system ensure
effectiveness and efficiency of operations, reliability of financial reporting and
compliance with the rules and regulations...).



State of Florida
-
auditor general

(David W
, Martin , CPA) :

11



( Public entities rely heavily on information technology (IT) to achieve their missions
and business objectives.As such, IT controls are an integral part of entity
internal
control systems. The Auditor General evaluatesthe effectiveness of entity controls
over IT as a part of financial
and operational
audits
)
.




The Office of the Auditor General of Norway :

(The public sector in Norway is
dependent on Information and Communica
tion Technology (ICT) and therefore the
auditor has to understand how organizations use technology to run their business and
reach their overall goals. If the auditors do not have this understanding, they will not
be able to perform their function. This do
es not mean that all auditors need deep
knowledge on IT
-
audits, but the OAG have to ensure that the auditors have the right
level of competence when we staff the audits. In order to assess the internal control
systems, the auditors may have to p
erform
audits on the IT
-
systems
)
.



INTERNA
TIONAL STANDARD ON AUDITING 401
:

(The purpose of this
International Standard on Auditing (ISA) is to establish standards and provide
guidance on procedures to be followed when an audit is conducted in a computer
informati
on systems (CIS) environment. For purposes of ISAs, a CIS environment
exists when a computer of any type or size is involved in the processing by the entity
of financial information of significance to the audit, whether that computer is operated
by the ent
ity or by a third part).




The Extent of the use of Information Technology in the process
of auditing
(E
-
Auditing)in Palestine, and its effect on thequality of the
evidence

to support
the audit opinion of theneutral prepared on the financial statement
:

(The study aimed at investigating to what extent do auditors in Palestine use
information technology in planning, controlling and
documenting the audit processes,

hamdona&hamdan 2007).


From previous related works , the importance of use computer
techniques as well as
IT to conduct auditing process increases from day to d
ay around the world . from
here
, we must enforce ISA number 401 effectively and efficiently in Gaza strip as
well as west bank as we can as in order to save our companies and then
our economic
from potential losses and produce high experience gradu
ators with accounting and
audit
.



TIME TABLE AND BUDGET


The research has a time limit; it should be done in three months. The following chart
describes the way we will spent the research

time.







12




What we will do?



March




April




May


periods


1


2


3


4


5


6


7


8


9

Generate the topic



















Collect references



















Writing research
proposal



















Apply proposal &
writing the research










Results and
recommendations










Discussion the
research









aft
er

ma
y


The est
imated research budget could be
NIS

25
0

or more.
This budget will be spent on
copying, typing and other expenses related to this research.





13



CHAPTER 2 :


LITERATURE
REVIEW


14


1. BRIEF HISTORY OF AUDITING


Auditors have been around for a long time. As long as there has been civilization,
there has been a need for some type of record
-
keeping to implement accountability. In
fact, it was the need to keep records

of ownership of quantities of goods that led to the
development of writing and arithmetic. The first number systems and the first written
words were developed as symbols to keep track of merchandise either collected as
taxes or used in trade. It was centu
ries later that literature and mathematics evolved
separately, far removed from this initial accountability application. For example, the
first proto
-
Greek written script, Linear B, was essentially developed for keeping
records of business transactions and

palace inventories in Mycenaean Greece in 1400

1300 B.C. It was only in 800

700 B.C. that a further evolved writing system was used
to record some of the earliest works of Western literature, the Iliad and the Odyssey.
By then in Greece writing had evolve
d to the point of recording outstanding deeds and
social events and not just commercial transactions. Similarly, accounting and
measuring evolved into more abstract mathematics. This pattern of the gradual
evolution of writing had been seen in many even ea
rlier civilizations, starting with the
Sumerians (3000 B.C.), the Egyptians (2500 B.C.), the first Indus River civilization
(2500 B.C.) and the start of the Xia dynasty in China (2300 B.C.).


Auditing accompanied the development of accounting, and the
first recorded auditors

were the spies of King Darius of ancient Persia (522 to 486 B.C.). These auditors
acted as “the King’s ears” checking on the behavior of provincial satraps. The word
auditor
comes from the Latin word “to hear” because in ancient tim
es auditors
listened to the oral reports of responsible officials (stewards) to owners or those
having authority, and confirmed the accuracy of the reports. Over the centuries this
role of auditors as verifiers of official reports evolved to include that o
f verifying
written records. By 1500 A.D. double
-
entry bookkeeping had evolved to the point of
being documented by Luca Pacioli of Italy in the first known book on accounting.
Pacioli also recommended that the accounting records be verified by auditors. By

the
early 19th century auditors acting as independent outside experts were frequently
called upon to investigate and report on business failures or to settle business disputes.


Independence is a key characteristic of the auditor. For now think of it as c
onditions
necessary to obtain an objective appraisal of the subject matter at issue. If the auditor
showed any bias in his or her investigation, or even if there was merely the suspicion
of bias, the effectiveness of the auditor’s report would be greatly r
educed.


Modern auditing began in 1844 when the British Parliament passed the Joint Stock
Companies Act, which for the first time required that corporate directors report to
shareholders via an audited financial statement, the balance sheet. In 1844 the auditor
was

required to be neither an accountant nor independent, but in 1900 a new
Companies Act was passed that required an independent auditor.



The first public accountants’ organization was the Society of Accountants in
Edinburgh, organized in 1854, and Scotlan
d and England became the leaders in
establishing the modern accounting profession. As a result of the British lead, the first
North American association of accountants, later to become the Institute of Chartered
Accountants of Ontario, was organized in 187
9 in Toronto. The Quebec Order
15


became the first legally incorporated accounting association in North America in
1880. The Canadian Institute of Chartered Accountants (CICA) began under federal
incorporation laws in 1902. And the Certified General Accountan
ts Association of
Canada was incorporated by an Act of Parliament in 1913.


Following British precedents, the first legislation requiring audits in Canada was the
Ontario Corporations Act of 1907. This was followed by the Federal Corporation Act
of 1917. U
ntil 1930 Canadian practice followed the British model, focusing on the
procedures that were followed to process a transaction (transaction oriented); these
procedures largely relied on internal evidence.


After the 1929 stock market crash and the Great De
pression of the 1930s, Canadian
practice was increasingly influenced by developments in the United States. U.S.
practice had evolved since the late 19th century towards a process of collecting
evidence as to assets and liabilities or what is frequently ref
erred to as a balance sheet
audit. As a result of extensive misleading financial reporting that contributed to the
stock market crash of 1929 and the world depression of the 1930s, the U.S. passed
legislation in 1933 and 1934 that greatly influenced auditi
ng around the world. The
U.S. Securities Acts of 1933 and 1934 created the Securities and Exchange
Commission (SEC), which regulated the major stock exchanges in the United States.
Companies wishing to trade shares on the New York Stock Exchange or the Ame
rican
Stock Exchange were required to issue audited income statements as well as balance
sheets. In addition, because of the earlier problems with misleading financial reports
of the 1920s, the emphasis switched to fairness of presentation of these financi
al
statements, and the auditor’s role was to verify the fairness of presentation. In 1941,
as a result of experience in the McKesson and Robbin’s fraud case, the SEC
recommended references to “generally accepted audit standards (GAAS)” in the
auditor’s rep
ort and mandated more extensive reliance on external evidence. This
created a need to better define audit standards and objectives. This process was begun
in 1948 by the American Institute of Certified Public Accountants (AICPA).




1.1 U.S. Auditing


In
the United States the early formal development of accounting and auditing were
mixed together. Working with the Federal Trade Commission, the Federal Reserve
Board and the New York Stock Exchange, the American Institute of Accountants
(later renamed the Am
erican Institute of Certified Public Accountants) produced these
bulletins designed to systematize accounting and auditing:


1917


Federal Reserve Board, “Uniform Accounting: A Tentative Proposal
Submitted by the Federal Reserve Board.”


1918


Federal Rese
rve Board, “Approved Methods for the Preparation of Balance
Sheet Statements.”

1929


Federal Reserve Board, “Verification of Financial Statements.”

1934


New York Stock Exchange, “Audits of Corporate Accounts.”

1936

American Institute of Accountants, “Exam
ination of Financial Statements by

Independent Public Accountants.”

16



These first 20 years were marked by interest in both accounting and auditing and by
cooperation between the American Institute and government agencies. In 1939 the
American Institute went

its own way by creating the Committee on Auditing
Procedure to deal exclusively with auditing matters. This committee launched the
Statements on Auditing Procedure series, the first of which (1939) was titled
“Extensions of Auditing Procedure.” Generally
accepted auditing standards, however,
were not known by that name until 1947. Following an investigation of the McKesson
and Robbins fraud in the late 1930s and the auditors’ failure to detect it, the Securities
and Exchange Commission in the United States

passed a rule requiring auditors to
report that their audits were “in accordance with generally accepted auditing
standards.”


The Committee on Auditing Procedure got busy (after being delayed by World War
II) and published in 1947 the “Tentative Statemen
ts of Auditing Standards

Their
Generally Acce
pted Significance and Scope.”



1.2 Internal Auditing: An Historical Perspective


The demand for both external and internal auditing is sourced in the need to have
some means of independent verification to reduce record
-
keeping errors, asset
misappropriation, and fraud within business and non business organizations. The roots
of auditin
g, in general, are intuitively described by accounting historian Richard
Brown (1905, quoted in Mautz&Sharaf, 1961) as follows: “The origin of auditing
goes back to times scarcely less remote than that of accounting…Whenever the
advance of civilization bro
ught about the necessity of one man being
in trusted

to
some extent with the property of another, the advisability of some kind of check upon
the fidelity of the former would become apparent.” As far back as 4000 B.C.,
historians believe, formal record
-
kee
ping systems were first instituted by organized
businesses and governments in the Near East to allay their concerns about correctly
accounting for receipts and disbursements and collecting taxes. Similar developments
occurred with respect to the Zhao dyna
sty in China (1122
-
256 B.C.). The need for
and indications of audits can be traced back to public finance systems in Babylonia,
Greece, the Roman Empire, the City States of Italy, etc., all of which developed a
detailed system of checks and counterchecks.

Specifically, these governments were
worried about incompetent officials prone to making bookkeeping errors and
inaccuracies as well as corrupt officials who were motivated to perpetrate fraud
whenever the opportunity arose. Even the Bible (referring to t
he period between 1800
B.C. and A.D. 95) explains the basic rationale for instituting controls rather
straightforwardly: “…if employees have an opportunity to steal they may take
advantage of it.” The Bible also contains examples of internal controls such
as the
dangers of dual custody of assets, the need for competent and honest employees,
restricted access, and segregation of duties (O’Reilly et al., 1998). Historically then,
the emergence of double
-
entry bookkeeping in circa 1494 A.D. can be directly tra
ced
to the critical need for exercising stewardship and control. Throughout European
history, for instance, fraud cases


such as the South Sea bubble of the 18th century,
and the tulip scandal


provided the justification for exercising more control over
managers.


17


Within a span of a couple of centuries, the European systems of bookkeeping and
auditing were introduced into the United States. As business activities grew in size,
scope, and complexity, a critical need for a separate internal assurance funct
ion that
would verify the
(
accounting) information used for decision
-
making by management
emerged. Management needed some means of evaluating not only the efficiency of
work performed for the business but also the honesty of its employees. Around the
turn
of the 20th century, the establishment of a formal internal audit function to which
these responsibilities could be delegated was seen as the logical answer. In due
course, the internal audit function became responsible for

careful collection and
interpret
ive reporting of selected business facts” to enable management to keep track
of significant business developments, activities, and results from diverse and
voluminous transactions (Mautz, 1964).


Companies in the railroad, defense, and retail industries ha
d long recognized the value
of internal audit services, going far beyond financial statement auditing and devoted
to furnishing reliable operating reports containing nonfinancial data such as
“quantities of parts in short supply, adherence to schedules, an
d quality of the
product” (Whittington &Pany, 1998). Similarly, the U.S. General Accounting Office
(GAO
)

and numerous State Auditors’ Offices, for instance, the State of Ohio
Auditors’ Office, have traditionally employed large numbers of internal auditors.


In sum, the collective effect of growing transaction complexity and volume, the
owner/ manager’s (“principals”) remoteness from the source of transactions and
potential bias of
reporting
parties (“agents”), technical (accounting) expertise required
to rev
iew and summarize business activities in a meaningful way, need for
organizational status to ensure independence and objectivity, as well as the procedural
discipline necessary for being the “eyes and ears” of management all contributed to
the creation of
an internal audit department within business organizations. Starting as
an internal business function primarily focused on protection against payroll fraud,
loss of cash, and other assets, internal audit’s scope was quickly extended to the
verification of
almost all financial transactions, and still later, gradually moved from
an “audit for management” emphasis to an “audit of manage
ment” approach (Reeve,
1986).





1.3 Auditing Profession In Islam Age


Hisbah In Islamic Civilization :


The first muhtasib

is Rasulullah SAW e.g. he passed by a pile of food and then put his
hand in it until his fingers wetted, he said: "What is this, owner of the food?" He said:
"It was wetted by rain, Messenger of Allah." He said: "Would not you put it on top of
the food so

people can see it. The one who cheats is not of me.”


First muhtasib appointed after the conquest of Makkah on Makkah markets


Sa’id bin
Sa’id bin Al
-
’As. Rasulullah SAW appointed a woman, Samra’ bintiNuhaik Al
-
Asadiyyah as a muhtasib, and Khalifah Umar

kept her in the position during his
tenure.

18


Khalifah ‘Umar himself performed the role of muhtasib and he used to tour the market
carrying a stick with him warning those who sold goods at exorbitant prices and
cheaters.



Shariah Rule On Hisbah And Shariah

Auditing


Two major views on the Shariah rule on hisbah which is based on the discussion of al
-
amrbil’ma’rufwal
-
nahyu ‘an almunkar:


1. Fardhkifayah, but if everyone is ignorant of it, it is fard ‘ayn upon the capable


Views of the majority (Shafi’yyah
, Hanabilah and Hanafiyyah). They includes Qaadi
Abu Bakr al
-
Jassas and Al
-
Alusi (Hanafiyyah), Imam al
-
Ghazzali and Imam Juwayni
(Shafi’iyyah) and Syeikhul Islam IbnuTaimiyyah (Hanabilah).


2. The duty is wajib on everybody


Malikiyyah e.g. Imaam
Ibn Abi Z
ayd al
Qayrawaani :




Many Quranic verses and ahadith supported the first view.



Hence, Shariah auditing should not be accorded as worldly corporate
governance practices only, but a religious obligation on the Islamic financial
institutions and Shariah audit
ors (muhtasib/ mudaqqiqsyar’ie).




Shariah Rule On Muhtasib (Shariah Auditors)


THE CHARACTERISITICS OF AUDITOR (MUHTASIB) IN ISLAM CAN BE
IDENTIFIED AS FOLLOWING :


1. Must be a Muslim adult, of sound mind and just.

2. Must be of the opinion and strict
in religion, knowledge
-
able of the provisions and
purposes of the law.

3. Must be of good standing of the Sunnah

4. Sincere in his intention for the sake of Allah and is not flawless hypocrisy.

5. Known that what he says are not contrary to what he did.

6.

To be innocent of people's money and refuse to accept gift from employers and
industries (auditees).




Among The Functions Of A Muhtasib (Khan, 1992) Are As Follows. There
Should Be Similarity To What Is Expected Of The Scope Of Work Of Auditors
In An Is
lamic Organization.


MANAGE EQUILIBRIUM
: This function implies that the economy is actively
managed by the state and a Muhtasib is appointed by the state. Economic equilibrium
is manipulated to attain a reasonable degree of efficiency and justice.


19


PRICE C
ONTROLS
: If market rigidities exist such that the economically powerful
class is able to manipulate the price level, the muhtasib has a duty to apply corrective
measures and to save the general public from hardship.


CREDIT STRUCTURE
: He is to check on any

transactions involving usury (riba).
In a case where the debtor cannot pay his debt, he would arrange for aid from the
zakat fund.


REGULATION OF SUPPLY
: He ensures that all trade has to be done in the open
market. He is to prevent secret dealings by the
traders at their homes, warehouses and
behind closed doors that could disturb the supply flows and thus interfere in the
establishment of a natural price level. Free access to the market is ensured to anyone
who wants to enter the market.


EFFICIENCY IN
THE PUBLIC SECTOR
: He is to advise the regulator to adopt
commendable behavior and refrain from improper conduct. This was based on the
Prophetic tradition that the best of jihad was to pronounce truth before an oppressive
ruler. He would also deal with co
mplaints of bribery and misappropriation of public
funds.





2. AUDITING DEFINITION


Audit was originally confined to ascertaining whether the accounting party had
properly accounted for all receipts and payments on behalf of his principal, and was in
fact merely a cash audit. Modern audit not only examine cash transactions, but also
verif
y the purport to which the cashtransactions relate.


THERE ARE SEVERAL DEFINITIONS OF AUDITNG AS FOLLOW :


Audit

is an examination of accounting records undertaken with a view to establishing
whether they correctly and completely reflect the transactions t
o which they purport to
relate.


Auditing

is a systematic process of objectively obtaining and evaluating evidence
regarding assertions about economic actions and events to ascertain the degree of
correspondence between those assertions and established cri
teria and communicating
the results to interested users.


Financial Audits
In a financial audit, the assertions about which the auditor seeks
objective evidence relate to the reliability and integrity of financial and, occasionally,
operating information.
The examination of the objective evidence underlying the
financial data as reported is called an audit.
Analytics, inquiries of management and
the verification of information through evidential matter (support) external to the
company (i.e., “other audit p
rocedures”) are required.


20


The general definition of an
audit

is an evaluation of a person, organization, system,
process, enterprise, project or product. The term most commonly refers to audits in
accounting, but similar concepts also exist in project management, quality
management, water management, and energy con
servation.




3. THE IMPORTANCE OF AUDITING


Auditing is the analysis of the financial accounts/records, by a qualified accountant,
and procedures of a firm or organization. This is essential in order to gain a fair
perspective on the company's financial
statements. With auditing, potential investors
and creditors can look at the financial statements to decide whether to invest in a
business or not. Auditing is important as it also protects the public from scams and
corrupt business procedures.


The advant
ages for a business audit are:


1.

Gain a strong sense of internal control.

2.

Identify key areas for improvement in your company.

3.

Test out the performance of new technology.

4.

Evaluate threats, economy, efficacy and quality.

5.

Realize fraudulent occurrences in the
business.

6.

Analyze and understand your firms' financial data.

7.

The public are protected from corruption.


The disadvantages of a business audit are:


1.

It does not take into account the productivity and the skills of the
employees of the business.

2.

The financia
l data is never current and does not reveal much about the
present financial position of a company.

3.

Different accountants use different techniques, therefore it would be hard
to compare audits between companies who have used different
accountants.

4.

For smal
ler companies, hiring an accountant/firm to carry out an audit can
be costly.

5.

A bad audit can discourage investment.

6.

Can be time consuming to answer the auditor's questions and the business
may not work to maximum capacity.


Carrying out an audit is essential because for public listed companies it is important
that an audit is carried out to ensure that the companies are using fair policies
prescribed by law and the public’s money is in safe hands. The basic advantage of an
au
dit is that it makes it easier to compare different companies as the auditors express
their opinions about the fairness of procedures. Of a company is given a good opinion
then it means that it is following the law. It also helps in following certain stand
ards.
An audit will keep the managers from trying to indulge in fraudulent practices as it is
21


a means of accountability. It testifies to reliability and integrity of the results. The
only disadvantage of an audit can be the costs involved because you have
to pay the
auditors and also ensure that you maintain detailed records of all the transactions
which involve a lot of costs.




ADVANTAGES TO BUSINESS


Advantages of audit for the business are:


1.
Satisfaction of Owner


It is because of audit that the
owner will be satisfied about the business operations and
working of its various departments.


2.
Detection and Prevention of Errors


The errors whether committed innocently or deliberately are discovered by the
process of audit and its presence prevents t
heir occurrence in the future. No one will
try to commit an error or fraud as the accounts are subject to audit and hence they will
have a fear of being detected.


3. Verification of Books


Another advantage of audit is the verification. Of the books of ac
counts, which helps
in maintaining the records up to date at all times.


4. Independent Opinion


Auditing is very useful in obtaining the independent opinion of the auditor about
business condition. If the accounts are audited by an independent auditor, th
e report of
the auditor will be true and fair in all respects and it will be of extreme importance for
the management of the company.


5. Detection and Prevention of Frauds


Just like errors, frauds are discovered by audit and its presence minimizes future

possibility if not eliminated totally.


6. Moral Check


The process of audit will establish a check on the minds of the staff working in the
business and they will not be able to commit any irregularity, as they will have a fear
and will also be aware tha
t the accounts will be examined in the near future and that
action would be taken against them if any irregularity is discovered. Thus the audit
prevents the happening of any irregularity before it starts and the staff hence becomes
more active and respons
ible. The fear of their getting caught act as a moral check on
the staff of the company.


22


7. Protection of the Rights and Interests of Shareholders


Audit helps in protecting the interests of shareholders in case of joint stock company.
Audit gives assuran
ce to the shareholders that the accounts of the company are being
maintained properly and their interest will not suffer under any circumstances.


8. Reliance by Outsiders


Outsiders like creditors, debenture holders and banks etc. Will rely on the busines
s
accounts if they are audited by an independent authority (external auditor).


9. Loan Facility


Money can be borrowed easily on the basis of audited balance sheet from financial
institutions. If accounts are audited the true picture will be visible to ba
nks and it will
be easy for them to issue loans as early as possible.


10. Easy Valuation


It becomes easier to evaluate property etc. If the accounts are audited when the
business is disposed off and as a result no dispute whatsoever will arise.


11. Up
to Date Record


Due to the fear of audit the work of accounting always remains upto date and correct
in all respects.


12. Reliance by Partners


If a new partner is to be inducted in the business, the audited balance sheet will be a
good base to estimate t
he value of good will. Moreover, the audited accounts of a
company by an independent person will minimize the chances of misunderstanding
among the partners.


13. Reliance by Shareholders


In case of joint stock company, the shareholders have no hand in
the actual running of
the business because the management was in the hands of the directors. So the
shareholders are assured in the presence of the process of audit that the directors have
not taken any undue advantage of their status and position.




ADVA
NTAGES TO THE PUBLIC


Advantages of audit for the public are given below:


1. Safety from Exploitation


The interest of the public and shareholders is safe and guaranteed in the presence of
23


audit. Otherwise they may have been exploited by the management. T
his is the main
reason for which the audit has been made mandatory for public limited companies.


2. Facility for Prospective Investor


The prospective investor can easily analyze the position of the company gaining
through the audited financial statements

of the company and can make the decision to
invest or not in the company.


3. Satisfaction about Business Operations


In the presence of audit, the public in general and the owner of the business in
particular receive the reliable statement of accounts, i
ndicating the true financial
position of the concern and they can collect result from it and feel satisfaction about it
in every respect.




ADVANTAGES TO THE STATE


Advantages of audit to the state are as under:


1. Privatization of Industries


If the
nationalized industries are running in losses, the government may denationalize
them after going through the audited accounts of such industries.


2. Easy Assessment of Tax


In the presence of audited accounts the assessment of tax becomes very easy becaus
e
the tax is imposed on the basis of audited accounts.


3. Quick Recovery of Taxes


As the assessment orders can easily be made it will lead to early recovery of taxes.


4. Leading to Economic Progress


The joint stock companies play a vital role in giving

a boost to the economic progress
of a country. The successful operation of the companies would have not been possible
without the presence of audit. So we can easily say that presence of audit leads to
economic progress of the country.








24


4. THE TYPE
S OF AUDITS


Types of Audits and Reviews:

1.

Financial Audits or Reviews

2.

Operational Audits

3.

Department Reviews

4.

Information Systems Audits

5.

Integrated Audits

6.

Investigative Audits or Reviews

7.

Follow
-
up Audits


Financial Audit

A historically oriented,
independent evaluation performed for the purpose of attesting
to the fairness, accuracy, and reliability of financial data. CSULB's external auditors,
KPMG, perform this type of review. CSULB's Director of Financial Reporting
coordinates the work of these
auditors on our campus.


Operational Audit

A future
-
oriented, systematic, and independent evaluation of organizational activities.
Financial data may be used, but the primary sources of evidence are the operational
policies and achievements related to orga
nizational objectives. Internal controls and
efficiencies may be evaluated during this type of review.


Department Review

A current period analysis of administrative functions, to evaluate the adequacy of
controls, safeguarding of assets, efficient use of
resources, compliance with related
laws, regulations and University policy and integrity of financial information.


Information Systems (IS) Audit

There are three basic kinds of IS Audits that may be performed:

1.

General Controls Review

A review of the controls which govern the development, operation,
maintenance, and security of application systems in a particular environment.
25


This type of audit might involve reviewing a data center, an operating system,
a security software tool, or proc
esses and procedures (such as the procedure
for controlling production program changes), etc.

2.

Application Controls Review

A review of controls for a specific application system. This would involve an
examination of the controls over the input, processing,

and output of system
data. Data communications issues, program and data security, system change
control, and data quality issues are also considered.

3.

System Development Review

A review of the development of a new application system. This involves an
eval
uation of the development process as well as the product. Consideration is
also given to the general controls over a new application, particularly if a new
operating environment or technical platform will be used.


Integrated Audit

This is a combination of

an operational audit, department review, and IS audit
application controls review. This type of review allows for a very comprehensive
examination of a functional operation within the University.


Investigative Audit

This is an audit that takes place as a

result of a report of unusual or suspicious activity
on the part of an individual or a department. It is usually focused on specific aspects
of the work of a department or individual. All members of the campus community are
invited to report suspicions of

improper activity to the Director of Internal Auditing
Services on a confidential basis. Her direct number is 562
-
985
-
4818.


Follow
-
up Audit

These are audits conducted approximately six months after an internal or external
audit report has been issued. They are designed to evaluate corrective action that has
been taken on the audit issues reported in the original report. When these follow
-
up
au
dits are done on external auditors' reports, the results of the follow
-
up may be
reported to those external auditors.



26


5. TYPES OF AUDITORS

Auditors of financial statements can be classified into two categories:



External auditor

/
Statutory auditor

is an independent firm engaged by the
client subject to the audit, to express an opinion o
n whether the company's
financial statements

are free of material misstatements, whether due to fraud
or error. For
publicly
-
traded companies
, external auditors may also be required
to express an opinion over the effectiveness of
in
ternal controls

over
financial
reporting
. External auditors may also be engaged to perform other agreed upon
procedures, related or unrelated to financial statements.

Most importantly,
external auditors, though engaged and paid by the company being audited, are
regarded as independent auditors.

The most used external audit standards are the US
GAAS

of the
American Institute of
Certified Public Accountants
; and the ISA
International Standards on Auditing

developed by the
International Auditing and Assurance Standards Board

of the
International Federation of
Accountants



Internal auditors

are employed by the organization they audit. They perform
various audit procedures, primarily related to procedures over the
effectiveness of
the company's
internal controls

over financial reporting. Due
to the requirement of Section 404 of the
Sarbanes Oxley Act

of 2002 for
management to also assess the effectiveness of their internal controls over
financial reporting (as also required of the external auditor), internal auditors
are utilized to make this assessment. Though i
nternal auditors are not
considered independent of the company they perform audit procedures for,
internal auditors of
publicly
-
traded

companies are required to report direct
ly to
the
board of directors
, or a sub
-
committee of the
board of directors
, and
not to
management
, so to reduce the risk that internal auditors will be pressured to
produce favorable assessments.


The most used Internal Audit standards are those of the
Institute of Internal Auditors



Consultant

auditors are external personnel contracte
d by the firm to perform
an audit following the firm's
auditing standards
. This differs from the
external
auditor
, who follows their own auditing standards. The level of independence
is therefore somewhere between the internal auditor and the external auditor.
The consultant auditor may work independently, or as part of the au
dit team
that includes internal auditors. Consultant auditors are used when the firm
lacks sufficient expertise to audit certain areas, or simply for staff
augmentation when staff are not available.



Quality auditors

may be consultants or employed by the organization.


27






CHAPTER 3 :


AN INTRODUCTION TO

COMPUTER AUDITING


28


1. IMPORTANCE OF INFORMATION TECHNOLOGY


Information Technology is related to studying, designing and
developing the information related
to computers. This field is growing at a very fast pace over the last few years and according to
successful and well
-
known people in the Information Technology sector, this growth is expected
to remain stable. Due to the
robust growth, millions of jobs have been created in this field.
However, it is very essential for us to understand what is the importance of information
technology. Given below is the importance of information technology in business.



1.1
Why Is Informa
tion Technology Is Important In Business

?


There
are many

businesses which are in need of the software packages for satisfying their
operational as well as functional needs. For fulfilling this requirement, these companies sign
deals with the software man
ufacturing companies. Information technology is useful in ensuring
the smooth functioning of all the departments in a company such as the human resource
department, finance department, manufacturing department and in security related purposes.



With the h
elp of information technology, the companies in the automobile manufacturing sector are
able to get rid of any sort of errors or mistakes in the proper functioning of the tools used for designing
and manufacturing purposes. Due to the development of the in
formation technology sector, the
companies are being able to keep themselves aware of the changes in the global markets.


The software applications and the hardware devices are known to be the main elements of the
use of information technology. The web br
owsers, the operating systems, ERP's and special
purpose applications are the software which are used in information technology. Information
technology plays an important role in easily solving the mathematical problems and in the
project management system
. Information technology has a great use in the automated production
of sensitive information, automated upgradation of the important business processes and the
automated streamlining of the various business processes. It has also played an important role
in
the areas of communication and automated administration of entire systems.

These days IT is crucial to the majority of businesses. Almost all companies use IT to some
extent, making it important for employees to have proficient knowledge in the area. It

is not
longer just IT jobs where staff need a good knowledge of IT. Almost all office based jobs are
now almost entirely based around computers and IT.

Having good IT skills gives you a major advantage over those who do not. Even if a role is not
an IT jo
b per se, IT knowledge may give you an advantage over other candidates and help you
once you are employed. Employees are expected to know the basics of IT in most jobs and there
is an assumption that you are able to perform basic computer related tasks. Em
ail is often the
29


main mode of communication, while employees are also expected to be able to write documents
and use spreadsheets.


In most cases the Internet is the main research method, so being confident using Google, for
example, can be a must.

Most
admin tasks in any business are now performed through the use of IT and for the large part
the traditional numerous filing cabinets are gone. Accounting is usually done with spreadsheets,
so accounting staff also need knowledge of IT. Even those working in

shops and restaurant will
use IT is certain ways, such as the tills. Anyone working in management in any job will need to
be able to use computers to either a small or large extend, depending on the nature of their
particular job.

With IT playing such an
important role in business today, good IT training, either in education or
once in employment, can make an important difference. IT is there to make life easier, but if you
do not have the necessary confidence it can turn into a nightmare. Staff need to un
derstand the
processes they are using, and this requires sufficient training.

IT can be complex, especially in businesses that use it to a large degree, and as with all
technologies there will be things that go wrong. Therefore support staff who can solve
any issues
are useful. Some companies will have a person, or even a whole team of people, whose sole job
it is to run and maintain the IT systems and networks. IT is there to help, not hider, but if things
are not managed properly it can cause a whole host

of problems. The IT department and
processes need to be managed for IT to have the best possible impact on a business. Things need
to be in place so the business can make the most of the advantages IT offers.

Some will use some kind of IT methodology to k
eep their IT management on track. The most
widely used methodology is ITIL, which stands for Information Technology Infrastructure
Library. ITIL is a set of concept and policies for managing the IT within a business. Essentially it
is the IT best practice.



2. INTRODUCTION


2.1 Purpose

The aim of these notes is to give potential computer auditors an overview of the main activities
of computer audit and the role of the computer auditor. They have been written to assist
candidates who are planning to attend an interview for a position in c
omputer audit but have a
limited knowledge of the subject. For those from either an audit, business or information
technology (IT) background seeking a move into computer audit, these notes will provide useful
background reading. Whilst any organisation th
at has agreed to interview a candidate who has
30


limited experience of computer auditing will judge them accordingly, there is substantial scope
for candidates to improve their chances by demonstrating that they have done some research and
are conversant wit
h the basic principles.

Further, as it is increasingly difficult to distinguish between IT and business areas, many
organisations now require that all business auditors have an awareness of computer audit. These
notes, therefore, should assist business aud
itors in obtaining a greater appreciation of computer
auditing. Given the diversity of IT, it is not possible within a document of this type to be specific
about computer audit in particular sectors or in relation to specific hardware or software. The
basi
c principles of computer audit should be common to all sectors and to most types of
hardware and software.


2.2 Definition

One of the most important factors to consider when discussing computer audit is that the term
“computer audit” can mean many differe
nt things to different people. What may be regarded as
computer auditing in one organisation, and very much the realm of the specialist computer
auditor, may be undertaken by business auditors in another similar organisation. For example,
computer audit ma
y be restricted to auditing systems software in one organisation, whilst areas
such as auditing systems under development may be the responsibility of the business
auditor.Similarly, in some organisations, it is not uncommon for the role of computer audit
to be
extended to include the review of clerical procedures and the production of compliance based
audit work programmes for field auditors, thereby providing a wider systems audit service. There
are no hard and fast rules as to what constitutes computer a
udit. Often, similar sized
organisations operating in the same sector may have different approaches to computer audit.
Even where there appears to be commonality in the scope of audit areas, there can be significant
variations in the depth of auditing unde
rtaken. An audit of an operating system in one
organisation may require between 5 and 10 man
-
days, whilst in another, the same operating
system may be subject to a more detailed examination lasting several months.


2.3 Origins Of Computer Audit

The absenc
e of a common definition of computer audit may, in part, be due to the relative
newness of computer audit. The history of traditional auditing or inspection can be traced back
many hundreds of years. In contrast, computer audit is a relatively recent devel
opment. It was
not until the late 1970’s that the majority of major organisations in the UK established a
computer audit capability for the first time.

The use of IT in business is also a relatively recent development. The father of modern day
computing is

generally regarded as being Charles Babbage, who produced his Difference
Calculator in 1833. It was not until the outbreak of the Second World War and the widespread
31


development of valve technology, that the 1st Generation computers were used. Even then,
it was
many years later that they became commonplace in business.



2.4 Change

A key feature of many organisations

today is change. Although not necessarily the driver of
change, IT is invariably an intrinsic component and much of the change would not be possible
without IT.

IT has had a major impact on social, economic and political factors throughout the world. Not
only has it led to the creation of new professions but it has also revolutionised others, such as
office work, or, when combined with robotics, manufacturing industries. Computer audit
operates in a climate of constant and rapid change. Computer auditors a
re continually faced with
the prospect of faster, smaller and cheaper IT systems. An analogy that is frequently used to
describe the rapid development of IT, is if aviation had developed at the same rate, man would
have landed on the moon in 1922. IT is a
dynamic area which in turn, requires a dynamic and
flexible control structure. The rapid development of IT is perhaps best indicated by the relative
absence of specific IT legislation, which, in England and Wales, is largely based upon precedent
establishe
d over many years. The only specific IT legislation in the UK at present is the Data
Protection Act 1984 and the Computer Misuse Act 1990, both of which have been subject to
considerable interpretation by the Courts. Both pieces of legislation are security

and control
related.


2.5 Nature Of Computer Audit

Although an IT system may achieve the same end result as a manual system, the way in which it
does so, and hence the level of security and control required, can differ considerably. There are a
number
of significant risks associated with the processing of IT systems. It is important,
therefore, that high standards of security and control are maintained to minimise the potential
impact on the organisation.

Computer fraud and abuse can have a detrimental
effect on an organisation. Periodic surveys
undertaken by organisations such as the NCC (National Computing Centre) and the Audit
Commission indicate the following common instances of computer fraud and abuse:


• unauthorised disclosure of confidential

Information


• unavailability of key IT systems


• unauthorised modification/destruction of software


• unauthorised modification/destruction of data

32



• theft of IT hardware and software


• use of IT facilities for personal business

Wh
en considering computer audit, it should be noted that the basic control objectives and
principles do not change. The manner in which those objectives are achieved, however, does
change fundamentally. Specifically, there is a need for greater preventative
controls rather than a
reliance on the more detective and corrective control mechanisms which would usually be found
in manual systems. The development of on
-
line real time systems, where the immediacy of
processing can result I millions of pounds being tr
ansferred away in a funds transfer system,
requires a robust level of security.


2.6 Computer Auditors

It was not until the late 1970’s that most organisations in the UK

established a computer audit
capability. This primarily arose out of the need to provide business auditors with independent
data from the IT system. This in turn progressed to a wider review of the IT applications and
infrastructure to provide an assuranc
e that the organisation’s assets were protected and that
suitable security and control mechanisms were in place. The high level of technical knowledge
required resulted in the birth of the computer auditor. It is important when considering computer
audit t
o note that it is an integral part of the overall audit activity. It is usually separated to enable
specialized security and control issues to be dealt with more effectively and to make better use of
specialist staff. Computer auditing, therefore, is a mea
ns to an end rather than an end in itself.
There is always a temptation when dealing with IT to become engrossed in the technical
complexities of an operating system or application and to ignore the business realities of the
organisation.

Risk based comput
er auditing, integrated as appropriate with business audit, is essential if
computer audit is to add value to the organisation and to deliver the effective service demanded
of it by senior management. Over the years, the role of the computer auditor has ch
anged to
being more consultative and value adding. Clearly, where a new system is being developed, it is
more cost effective for audit comments to be provided prior to a system being implemented,
when improved security and control features can be included
more easily and cheaply. Similarly,
although computer auditors regularly undertake audits of say logical access controls, there is
considerable scope for computer auditors to be involved in the design of those components.

There is an issue of independence
if the computer auditor becomes involved in the design
process as this may be compromised if the same individual subsequently audits that system.


It is generally recognised, however, that the costs of not getting involved are so great that this is
not an
option. It is unlikely, for example, that senior management will be happy to receive an
audit report just after a new IT system has gone live which details significant security and control
exposures. The role of the computer auditor continues to mature and

develop. This is essential if
computer audit is to provide a value added service to the business in the face of increasingly
33


sophisticated technology. A key challenge for computer auditors is to keep up to date with the
constant and rapid developments in
IT. Continuous training and development is essential.
Successful computer auditing is based upon a foundation of technical excellence. Without this,
computer auditors are limited in their ability to audit effectively and to provide a valuable service
to th
e organisation. It should also be noted that the role of the computer auditor can, in some
areas, overlap with that of the computer security function and this can cause confusion.

It is essential to clearly define respective responsibilities so that unnec
essary duplication is
avoided. Essentially, the role of the computer security section is to assist users in developing
security solutions and to administer that security on a day to day basis. The role of the computer
auditor is to provide senior managemen
t with an independent and objective assurance as to the
level of security applied within the IT environment. As an integral part of the audit process,
computer auditors will also provide advice and it is in this area that duplication and overlap may
arise.


2.7 Scope

The following sections of these notes describe the main areas of computer audit activity:

• systems under development

• live applications

• IT infrastructure

• audit automation

The extent to which these areas are reviewed and the depth to which they are examined will vary.
Key to the performance of audit work is a comprehensive risk based evaluation which should
determine the amount of audit resource required and should also assi
st in determining an
assessment of a satisfactory level of security and control. A brief outline of the involvement of
the computer auditor has been provided for each area. The purpose of this outline is to give an
indication of the audit considerations ra
ther than to provide an exhaustive list.

Readers are advised to refer to appropriate text books where additional information is required,
specifically, “Computer Auditing” by Ian J Douglas and the “CIPFA Computer Auditing
Guidelines” by CIPFA.






34


3.
SYSTEMS UNDER DEVELOPMENT


3.1 Background

“There is nothing more difficult to plan, more doubtful of success, nor more dangerous to
manage than the creation of a new system” Machievelli
. The development of a new computer
system represents an area of potentially significant risk to an organisation. New computer
systems are developed to meet a variety of business needs, whether they be to meet new legal
requirements, to maintain or enhance

profitability, to improve efficiency or to reduce costs. The
failure of a new system could have a major impact on an organisation’s future viability and well
being.

A review of an organisation’s financial statements will usually indicate that, with minor
exceptions, the development of IT systems is also one of the organisation’s major areas of
investment. The potential sources of a new IT application are many and varied. A number of
factors, such as cost, time constraints and availability of a skilled reso
urce, will determine which
source is the most appropriate for a particular organisation.


Options include:

• a bespoke development by an in
-
house IT team

• a package solution from a software house

• a bespoke development by a software house

• joint bes
poke development (partnership) by a software house and the in
-
house IT team

• end
-
user development Computer audit activity within systems under development is
focused on two main areas :



the manner in which a new IT application is developed



the adequacy o
f security and control within an IT Application



3.2 Development Of New ITApplications

It is important to ensure that new IT applications are developed in a controlled manner so
that they perform only those functions that the user requires and that
adequate security and
control is included.



35


The manner in which a new IT system is developed is generally considered under two main
headings:


• project management


• the systems development life cycle


3.2.1 Project Management

Project Management is c
oncerned with delivering a solution on time, within budget and to the
appropriate level of quality. Project management as an activity is not confined to IT and many of
the basic principles have been developed in other industries, notably the construction i
ndustry.


The basic principles of good project management are:

• clearly defined management responsibility

• clear objectives and scope

• effective planning and control

• clear lines of accountability


There are a variety of project management methodologies in existence, such as PRINCE (Project
in Controlled Environment), which in turn may be supported by an ever increasing range of
project management tools, such as Project Manager Workbench (PMW) and MS
-
Project. The
precise requirements of project management methodologies vary and frequently methodologies
may be customised to meet the specific needs of an organisation.

In spite of the widespread availability of such methodologies and tools, research has
shown that
the majority of IT projects are not implemented on time, within budget or to the appropriate level
of quality. Typical components in a project management methodology include :


Organisation

This is to ensure that senior management are committed
to the project and to enable issues to be
resolved promptly. A standard framework for the direction and management of a project should
be established, which generally involves committees such as a Steering Committee and the
appointment of specific personne
l such as a Project Manager or Project Sponsor.


36


Planning

This is to ensure that work activities are addressed at an appropriate level of detail, that resource
requirements are identified and that risks are properly evaluated. Comprehensive planning is the

key to successful project management and forms the basis of subsequent project control.
Typically, a project will be broken down into a number of sub
-
projects, each with a number of
specific stages.


Control

This is to ensure that potential problems can b
e identified and that the ongoing viability of the
project can be continuously monitored.

Project control generally consists of financial controls such as budgets and time controls such as
milestones, which enable the status of a project to be measured. Fr
equently, a regime of more
subjective controls will also be established, such as internal and quality assurance reviews,
supported where necessary by external reviews undertaken by specialist consultancy


Computer Audit Involvement in Project Management

Th
e computer auditor should be involved in the audit of project management. The purpose of this
involvement is to provide an objective view to project management and an independent appraisal
to accountable senior management, that an adequate system of projec
t management is in place.
Key areas of audit interest are to assess whether :

• an effective project team has been set up to ensure that responsibilities are clearly
defined, that senior management are involved and that issues can be raised


comprehensive and sufficiently detailed plans have been prepared together with an
assessment of the extent to which they are achievable and whether they cover all areas

• effective mechanisms have been established to continuously monitor project progress
in
order to obtain an assurance that senior management is provided with timely information so
that variances from the plans can be investigated and the appropriate action taken


3.2.2 Systems Development Life Cycle

The systems development life cycle is con
cerned with the formal development of an IT
application and aims to ensure that a new IT solution is:


37


• developed in a controlled manner

• adequately documented

• maintainable in the future

• developed efficiently and securely

• meets the user’s
requirements


IT applications have traditionally been developed in a mainframe computer environment, in a
low level programming language such as Assembler, or a high level programming language such
as COBOL, by specialised programmers working to a design p
roduced by systems analysts.
Package solutions are also used extensively for common applications such as payroll.

As with project management, a variety of methodologies have been developed to assist in this
process, the most widely known of which is
probably SSADM (Structured Systems Analysis and
Design Methodology).

The precise definition of stages in a systems development life cycle will vary according to the
development process and methodology being used.

In many ways the stages of a life cycle are

consistent with the basic principles of TQM (Total
Quality Management). Typical stages are:


Project Initiation/Feasibility Study

The purpose of this phase is to progress an initial idea to a stage where a project can be
formallydefined. Once defined, the

feasibility of this proposal and the cost benefit can be
determined.


Analysis And User Requirements

The aims of this phase are to confirm the project objectives and scope, to identify and classify the
required data and to identify and prioritise business

requirements.


Design

The aim of this phase is to complete a logical and detailed technical design of the system which
meets the user’s requirements.

38



Build

This involves programming and testing the system. Testing will consist of a number of
components,
such as unit testing, link testing, systems testing and user acceptance testing.


Implementation

The aims of this stage are to plan and co
-
ordinate all the activities needed to ensure that the new
(or amended) system can be successfully moved into producti
on in a manner which will maximise
the delivery of benefits while keeping disruption to a minimum.


Post Implementation Review

The aim of this stage is to review the development to determine any lessons for the future. In
practice, this stage is all too fr
equently ignored.

Increasingly, IT applications are being developed by alternative processes. IT applications, for
example, are being developed by end users, whether relatively simple spreadsheet which generate
key MIS for strategic decision making or more

complex developments in languages such as MS
-
Access and FoxPro. Even within the more formal and structured IT development areas there is a
move towards modern methods of developing IT applications.


These include :



CASE

(Computer Aided Software Engineering)
-

this is a working environment consisting
of programs and other developmental tools that help managers, systems analysts,
programmers and users to automate the design and implementation of programs and
procedures. Co
mmon CASE tools include IEF, from Texas Instruments, andFoundation,
from Andersen Consulting



Object Orientation

-

a program is viewed as a collection of discrete objects that are self
contained collections of data structures and routines that interact w
ith other objects. C++ isan
object orientated version of the C programming language


Prototyping

-

here systems are developed on
-
screen interactively with the user,
typically in a fourth generation language (4GL). Several iterations may be produced
until an acceptable product is achieved. From this, a full production
system can be
developed

39





Rapid Application Development

(RAD)


unlike prototyping which is a
development technique to create a throwaway version of a product, RAD is an end to
end development life cycle. It is based upon the premise that 80% of the solution can
be achieved in 20%

of the time it would take to develop 100% of the solution. The
most widely known RAD methodology is DSDM (Dynamic Systems Development
Method)


A key impact of these newer approaches is that traditional development
documentation may not be available. A mor
e interactive and ongoing involvement
may be necessary although this in turn may create issues of resourcing and
scheduling.



AUDIT INVOLVEMENT IN THE SYSTEMSDEVELOPMENT
LIFE CYCLE

Early involvement in the audit of systems under development is essential.
The
purpose of this involvement is to provide an assurance to project management, user
management and accountable senior management of the organisation that the
application has been developed in a secure and controlled manner. Some types of
development may

cause greater concern than others, such as end
-
user developments
where the users are not skilled in the disciplines of developing IT systems.

The primary area of audit focus should be the design phase where an assurance and
advice on the adequacy of prop
osed controls can be provided.


A strong presence in the testing phase is also recommended to ensure that the proposed controls
are robust and workable. The computer auditor should seek an assurance
that
:

• user requirements have been fully understood and

confirmed

• the IT system, and any associated manual processes, meet those requirements

• the development approach and methodology are appropriate for that development and
provide for a thorough consideration of risks and the inclusion of controls

40


• ad
equate documentation is available which explains the workings of the system The
computer auditor may also undertake limited compliance testing to ensure that deliverables are
produced in accordance with the approved methodology.

3.3 IT Application Control
s

Within an IT application it is important to ensure that satisfactory levels of security
and control are implemented to meet identified risks. Application controls generally
fall under two main headings:

• application specific controls

• general IT
infrastructure controls


3.3.1 Application Specific Controls

This is concerned with controls within the IT application and consists of the
following
:


Input Control

Input controls will be necessary to ensure that all data entered is authorised, complete,
accurate
and entered only once. Typically, a combination of manual and automated controls will be
required to achieve this. These include validation checks, range checks and segregation. The
system should also provide a suitable mechanism that records sens
itive or critical activities by
individual users and enablesthe production of evidence of processing.


Processing Controls

Processing controls will be necessary to ensure that transactions are processed completely,
accurately and in a timely fashion. A variety of controls will be used to achieve this, for example,
reconciling input control totals with subsequent output, valida
ting the integrity and
reasonableness of automatically generated transactions and generating calculations automatically
from the appropriate authorised standing data.


Output Controls

Output controls will be necessary to ensure the completeness, accuracy a
nd availability of
application output, whether it be in a paper form, or as electronic data. On printed output,
controls such as sequence numbers and page numbers will be used to ensure completeness.

41




Procedures

Procedures should be prepared which contain

adequate management and supervisory controls
and checks. In some instances, separate user guides may be prepared for the application,
although usually they will be incorporated in a departmental procedures manual.



COMPUTER AUDIT INVOLVEMENT IN APPLICATI
ON

SPECIFIC CONTROLS

Early involvement in the development of a new IT application is essential if the computer auditor
is to add value to the process and to safeguard the organisation’s

interests. It is obviously easier
and cheaper to incorporate improved security and control features at the design stage of a new
system rather than when it has gone live. Research suggests that it only costs 50p to implement a
recommendation at the design

phase, but £1500 when it has gone live.

In practice, the actual cost can be far higher as the system may not get the necessary priority and
resource, and even if it does, the organisation runs the risk of the exposure until the weakness can
be corrected.