=Paper=
{{Paper
|id=Vol-2104/paper_181
|storemode=property
|title=Auditing of the Software of Computer Accounting System
|pdfUrl=https://ceur-ws.org/Vol-2104/paper_181.pdf
|volume=Vol-2104
|authors=Oksana Adamyk,Bogdan Adamyk,Nadiya Khorunzhak
|dblpUrl=https://dblp.org/rec/conf/icteri/AdamykAK18
}}
==Auditing of the Software of Computer Accounting System==
https://ceur-ws.org/Vol-2104/paper_181.pdf
Auditing of the Software of Computer Accounting
System
Oksana Adamyk1[0000-0002-2026-4412], Bogdan Adamyk1[0000-0001-5136-3854], Nadiya
Khorunzhak1[0000-0001-7434-5456]
1
Ternopil National Economic University, 11, Lvivska str., Ternopil, Ukraine
oksanafoa@gmail.com, bogdan_fbb@ukr.net, n.khorunzhak@ukr.net
Abstract. The article is aimed at determining the order and methodology of
auditing the software of the computer accounting system (CAS). It has been
found that software auditing should be performed separately for each of its
components. The components of the functional part of the CAS software are the
database management system (DBMS) and the application software supporting
the accountance automation. For auditing of the first component part are used
such techniques as general evaluation, subject check of the embedded
algorithms of information processing. Auditing the client software algorithms is
carried out by means of the control data method, which is reduced to such
procedures as creation of another database of test data with imaginary objects
and its processing by the client program, as well as introduction in a copy of the
real database of imaginary objects (employees, creditors, material values) and
the formation of reporting. Not only the current methods of calculation or
evaluation of accounting objects, but all of the software, are subject to
mandatory verification. This will avoid errors if the enterprise accounting
policy changes.
Keywords: computer accountance system, auditing, functional component,
DBMS, software algorithms, test data, imaginary data.
1 Introduction
Modern accounting practice is focused on automated data processing. The use in
business of information technology and computer networks in the process of
collecting and generalizing of information have changed environment for both
accounting and auditing. Under these conditions, instructional techniques of audit are
changed. Information technology allows processing of large data amounts, making the
methodological basis of audit more complete and relevant to modern business
requirements.
Many reputable authors such as [9] believe that the basic components of a modern
digital computer are: Input Device, Output Device and Central Processor. It is a
system in which accountants enter financial data into spreadsheets and other
accounting software, and then mathematical algorithms compute the information into
the necessary ledgers and financial statements [10].
� In our opinion, computer information technologies become the auditor's tool and at
the same time the subject of its inspection. It requires the expansion of the methodical
tools of the controller. All components of the computer accounting system are subject
to the audit, namely:
- information as an object and a product of audit;
- technical support - computing, telecommunication and other technical means;
- software in which accounting methods are implemented;
- a specialist who implements the information process and owns accounting
methods but also special knowledge and software skills.
Other authors have the same opinion “Audit function include under the accounting
information systems of electronic checking all the components of an electronic
information system: Workers, the hardware, software and the database These
components are integrated with each other in order to achieve the objectives of
review” [1]. Each of these components has the reliability risks of financial reporting
and has its own verification methods.
Author [10] determines such main five steps of the audit process for a
computerized accounting system:
1) conducting the initial review (planning the audit);
2) reviewing and assessing internal controls;
3) compliance testing (testing the internal controls);
4) substantive testing (testing the detailed data);
5) and reporting (conclusions and findings).
However, the author [10] does not include to the audit steps the inspection of such
component of computer accounting system as application software. This is important
part of information process because it is here that the algorithms of data processing
are laid out. Therefore, mistake made here is multiplied exponentially. Furthermore,
in tests often overlooked such as part of software as databases, namely, it is the basis
for controlling access to data, limiting user functions and journaling their actions.
Other authors [1] determine such procedures of Software control as: “1)
Verification procedures for the accreditation of programs. 2) Verification tests of
aggregates for regulatory programs itself. 3) Sudden review procedure programs
during the time of use. Control over the database: it must ensure the protection of
databases in the enterprise and for the following reasons: 1) To contain a huge amount
of data. 2) To contain basic data and confidentiality of the facility. 3) Databases are
one of the assets of the facility.”
At the same time, the authors do not provide characteristics for these procedures of
Software control. In addition, the authors point to the importance, but do not define
the methods of checking the DBMS, which is also part of the application software
hidden from the accountant.
The purpose of the article is to determine the procedure and methodology for
auditing the software of the computer accounting system (CAS), in particular its
supporting and functional components (namely accounting software and DBMS).
Methodology of the Study. It is a theoretical study relies on deductive approach
where we use deductive approach in the preparation of the theoretical framework for
the study and formulation of the problem and research hypotheses.
�2 Theoretical and Methodological Background
It is known, the auditing methodological background is set out in International
Standards on Auditing. They are recognized in Ukraine. The International Auditing
Standards (ISA) established the provisions and recommendations for implementation
of auditing in the computer environment in 2004, namely:
– International Standard on Auditing 401 “Auditing in Computer Information
Systems Environment”;
– IAPS 1001 “IT Environments – Stand-Alone Personal Computers”
– IAPS 1002 “IT Environments – On-Line Computer Systems”
– IAPS 1003 “IT Environments – Database Systems”
– IAPS 1009 “Computer-Assisted Audit Techniques”.
In January 2005, released a new edition of the International Standards on Auditing,
which marked a radical restructuring of their ideology on the use of information
technology - standards of auditing in IT Environments removed and all audit was
considered as a Computer Audit. The same trend has been extended in subsequent
editions of ISA.
It should be noted that the technology of accounting, and therefore the audit is
conducive to their computerization. In particular, the preconditions for the creation
and use of auditing automation systems are:
- the possibility of formalizing accounting transactions (the ability to prescribe
accounting transactions in the mathematical formula). For accounting is typical using
of a variety of simple arithmetic operations, regulated rules of information processing
(mathematical formulas, actions with tables, double entry, list the typical accounting
activities, etc.) significant amounts of data. Formula can be prescribed calculation of
turnover, balance of synthetic accounts, proper payments to the budget and
extrabudgetary funds, indicators of financial and economic activity;
- creating and using of arrays of normative reference information;
- business activity in general and its types are subject of state regulation. In
particular, the work of hired workers and their payment, social insurance of
employees, the quality of manufactured goods, the amount of taxation, etc. are
normalized. All these norms of state regulation, as a rule, are put into directories of
the information system;
- standarding of audit. Audit is characterized by clear rules for its
implementation and documentation. It is advisable to automate the compilation and
editing of audit documents such as a consent letter for audit, agreement for audit, the
auditor's report, required set of worksheets, tests, etc.
- high level of development of computer technology, computing power,
communication technologies. The current level of development of technical support
allows to automate most of the audit procedures, but also provides the possibility of a
virtual presence of the auditor in verifying the geographically distant objects. The use
of "cloud computing" creates preconditions for remote access to enterprise
documents;
- high level of development of mathematical methods of economic analysis,
used to assess the financial and economic enterprise activity. The software contains
complex methods not only for the current or retrospective analysis, but also forecast.
It is a powerful tool for an auditor, an economist and a top manager for the evaluation
�of the effectiveness of managerial decisions, probability of bankruptcy, solvency
restoring. Most of the analysis tasks have a mathematical basis and therefore they can
be automated.
Automation of audit procedures provides a number of advantages. It decreases the
volume of work along with an increase in the accuracy of the verification. It is
advisable to use entire audit method that reduces audit risk.
The use of global networks, cloud computing tools makes it possible to make audit
in geographically distant access to the database. It increases the availability of audit
services, decreases its cost, allows clients to engage audit firms with the better
reputation (for example, from other regions of the country or from abroad).
This sudden change in the development of various organizations led to the change
in the nature of audit evidence generated by each financial transaction [9]. Along with
this, the requirements for the qualification of the auditor are increased. Required
condition is not only an understanding of data processing algorithms in the client's
accounting software, but also understanding of audit automation programs. The
auditor should be aware of the novelties of the application software market
(accounting and auditing) and general purpose. The auditor is therefore required to
possess reasonable knowledge of various hardware and software used in the
organization in order to audit a computerized accounting system. The last few years
have been an exciting time in the world of IT auditing as a result of the accounting
scandals and increased regulations [9].
To solve the managing tasks, the components of the software are divided into:
functional and non-functional subsystems (fig. 1).
3 Audit of Non-Functional Software of Enterprise
The non-functional component of the information system completely determines the
characteristics of the overall information system because it reflects its system-
technical, structural side and it is intended for the implementation of the functional
part of information system. It is not related to solving the of the tasks of the subject
area, but creates an "environment" for the acting of functional software. Its task is to
promote the effective functioning of the overall system and its components
particulary. It should be noted that the non-functional component of the information
system is not an end in itself, it is intended for the rational organizing and operating of
the functional component. However, the successful operation of the latter is
impossible without the components of the first one.
The non-functional component of the information system include informational,
technical, mathematical, program, linguistic, organizational, technological, legal and
methodological support. They perform an supporting function in the computer
accounting systems. These include, in particular, operating systems, antivirus
software, text editors, spreadsheet editor, font editor, etc.
The coordinated activity of the functional component of the enterprise information
system is impossible without proper organization of its Non-Functional subsystem.
The discrepancy of the selected functional software to the basic characteristics of the
Non-Functional subsystem will not allow successful implementation of the tasks of
the application area.
� Computerized Accounting System
Software
Non-Functional Software Functional Software
– Operating system;
– antivirus software;
– archive software;
DBMS Accounting Software
– web-browser;
– File Manager
– Etc.
The Audit Procedures
Audit of: Audit of: Overall estimating: Checking the algorithms
– the availability of programs – Backing up the machine – the type of software; processing by control data:
and licenses to them; database; – completing of data processing; – the creation of test database
– type of operating system and – distribution of powers of – availability of rights to a software; with imaginary objects and its
its relevance with functional database users; – the availability and method of processing by the client
software; – limit user access; service; program;
– frequency and completeness of – presence of unauthorized – the regularity of updating versions of – introduction to a copy of the
updating antivirus databases; transactions in the system; the software, its individual modules, real database of imaginary
– programs running in the – access rights for developers reporting forms and documents objects (employees, creditors,
background and in startup, etc. and IT professionals to the – the availability of successful industry stocks) and reporting
system solutions
Fig. 1. Computer-Assisted Audit Techniques for Client Accounting Software checking
� Application software can be divided into two groups. The first is a necessary
component for the operation of functional subsystems, such as operating systems,
antivirus programs, etc. Others allow a specialist to perform their functions more
effectively (for example, browsers, text editors, spreadsheet editors, graphic image
viewer programs, graphic text recognition, etc.). To check the work of general-
purpose programs, the auditor performs the following procedures:
– Verification of the availability of general-purpose software (operating
systems, antivirus, archivers, browser browsers, mailboxes, etc.) and their licenses,
technical documentation;
– checking the availability of software service contracts;
– checking of the type of operating system, chronology of its changes and the
possibility of use with selected software applications;
– checking the availability of antivirus programs, their licenses, periodicity of
updates and the relevance of databases;
– Investigating programs, which are running in the background and in autorun,
and so on.
It is advisable to provide protection against the establishment of unauthorized
programs because of the possibility of conflicts with the running enterprise software,
the probable presence of viruses and spyware. Effective will be measures not only
prohibitions, but also the impossibility of such installation workers in the workplace.
4. The Audit of Company’s Software and its Functional
Subsystems
The functional part of the information system of the company is designed for solving
tasks in special area, namely in accounting. Such part is a model of the company’s
management system and mirrors an organizational structure of the company and its
business. Here, there are hidden algorithms of information processing, therefore, a
mistake done in the formalization of business-processes, precisely in software’s
algorithms that process accounting information, could be multiplied in geometric
progression. This can lead to the substantial distortion of financial accounting and
reporting within the company. Due to this problem, an auditor pays more attention to
functional issue that is designed for solving the applied tasks in special subject area.
The computational tasks are distributed among such key parts of the automatized
system of accounting as database management system (DBMS) and applied software
in order to automatize managerial and financial accounting. These systems have
different functions:
- DBMS performs the function of control to an access to the data from the side of
users, the data accumulation, the organization and saving of data, and, finally, the
search and providing of data in convenient format to the user;
- applied software and applications perform the function of request by the users
along with needed calculations and computations. Here there are algorithms of
accounting information processing, as well as computation of accounting registries
and reports.
�4.1. The Audit of Database Management System
Data base management systems have the main purpose to provide and secure data.
The developers of DBMS include various tools in such systems to ensure the
consistency and integrity of the data. The classical approach to the software protection
of the databases is to use the instruments of DBMS and includes in itself the
following procedures:
- the separation of access to the data – each individual user, including also an
administrator, have an access to the needed information in accordance with the
position within the company;
- the protection of access – a user may get an access to the data only via the
procedure of authentication and identification. For this goal, single or various levels
of protection can be used. For example, as a rule, for the authentication, the name of
the user is being used. But for the identification of this same user an additional
information may be needed, e.g. a password. The additional technical gadgets or
instruments may be also used. For example, personal cards with microchips or
magnetic tapes, encoded locks to the access in various premises or rooms, and others;
- data encryption – data must be encrypted: both those data that are being
transmitted (the protection from the interception) and those data that are being
recorded from the lost or theft of data storage e.g. hard disk or flashcard along with
unauthorized review/changes with a help of non DBMS tools.
All above mentioned organizational limitations and restrictions to ensure the
protection of computer system of the company must be clear written out in regulatory
documents and procedures in accordance with the official instructions and are also
subject of the audit of the company.
An auditor has the following purposes:
- auditing of the availability of separation of authorities and power among the
users of DBMS. The auditor analyzes the rights and authorizations of the users, the
misuse of these rights along with the availability of the systemic approach towards the
separation of power among company’s personnel with an access to databases. It is
relevant to work out a matrix of the separation of authorizations to support the
minimal principles of the access’ rights;
- auditing of the access’ restriction from the side of all users of the system
with a help of the authorized access into the database system. All actions by the users
must to be protocolled. The personnel of the company are to be responsible for the
quality of the entered / changed data. The registration of changes in ledger allows us
to track the chronology of any actions;
- auditing of the availability of unauthorized operations within the system and
the determination of possible responsibility for entered changes into the database.
The auditor review and check it out the ledgers and protocols on the subject on
unauthorized access, hackers’ attacks and other hacking;
- auditing of the availability of reserved copies of the information from the
system of accounting database. The frequency of such actions has be defined by the
duration of the manufacturing processes at the company and should not exceed one
reporting period;
- analysis of the access’ rights into the system by the software (applications)
developers along with personnel of the information technologies department. As a
�rule, such personnel (workers) have an unlimited access to the accounting system as
well as unlimited rights within the system on the level on various modules applied in
automated by these modules processes. This increase a risk of an unauthorized change
in the data of an accounting system as a result of deliberate or unintentional actions of
such users. The problem is exacerbated by the fact that IT professionals are not
directly responsible for the changes and actions within the system. Moreover, IT
workers can enter such changers directly omitting a protocol ledger as well as an
interface of applied application. It is obvious that the analysis of the protocol ledger is
not enough to appropriately evaluate such threats. For these purposes, the audit of
changes in data on the level of databases has to be used with the help of IT
professionals and special tools.
The audit of the client’s DBMS demands special knowledge and skills in the area
information technologies; therefore, an expert is needed to perform such auditing.
4.2. Audit of client’s application software
Checking the application software intended for automation of financial and economic
activity of the client is carried out in two ways:
1) overall assessment,
2) substantive testing of embedded algorithms for processing information
Checking of application software begins with an assessment of its overall status.
The indicators for such an assessment are given in Table 1.
Table 1. Indicators of a general appraisal of application software designed to automate the
accounting of financial and economic activities of the client [11]
Indicators of estimating Characteristic of estimating
type of software product typical
specially ordered
completing of data processing management information system that automates all
areas of business management
only accounting is automated
some parts of the accounting are automated
some accounting areas are not automated
availability of rights to a used a licensed product
software counterfeit copy
availability and method of used a licensed product
service counterfeit copy
the regularity of updating Updated regularly
versions of the software, its Updated irregularly
individual modules, documents Not updated
the availability of successful The program is designed specifically for the
industry solutions industry in which the client operates
The program is adapted, customized for the client
The client uses several software products to
automate various processes
� The results of the overall evaluation of the software are reflected in the audit
documents. They become the basis for the formation of an audit opinion.
The auditor checks the information processing algorithms to verify the correctness
of the application software. This test allows to make conclusions about the reliability
of the outgoing information in general and the financial statements, in particular.
The auditor never performs the unbundling (disconnection to separate software
components) of the client's information system and does not interfere with the
algorithms of information processing
The last one is perceived as a "black box" where the data is evaluated at the
entrance to and exit from the system. Auditor estimates the correctness of data
transformation.
Checking the processing algorithms of client’s software is carried out using the
method of control data. Its using requires the implementation of such procedures:
1) the creation of test database with imaginary objects and its processing by the
client program;
2) Inputting to a copy of the real database of imaginary objects (employees,
creditors and stocks) and reporting.
Comparison of audit techniques of algorithms of client’s software using the test
data is given in Table 2.
Table 2. Audit Techniques of Algorithms of Client’s Software Using the control data methods
Indicator Test data method Method of imaginary
data
Checked Another database with imaginary Copy of client’s database
database data
Processing data imaginary data Real and imaginary data
Auditor’s Client’s Application software
Application
software for
inspection
Place of automated workplace of an accountant
auditing
Object of Inspecting mainly of synthetic imaginary data (and
inspection accounting only inspection too) can start
The starting point for the inspection from the moment of
is the logbook of business inputting of primary
transactions document
Labor intensity Can be made in the maximum The Labor intensity is
of inspection avtomatizated regime. The auditor higher because of handle
must have a prepared database (the inputting the imaginary
logbook of business transactions) data, its monitoring in
which is subject for inspection accounting and reports
Result of data Known to the auditor in advance
processing
We characterize the use of each of these options in detail.
� For audit of algorithms of application, software is used test data method. It is
implemented in the automated workplace of an accountant under imaginary data.
These test data meet the following requirements:
– It is imaginary data;
– Database is previously prepared by auditor;
– The starting point for the inspection is the logbook of business transactions,
therefore mainly only synthetic accounting and reporting are subject for inspection
– figures of financial reporting are previously known to auditor
– The content of the test data should reflect the features of the enterprise's
activities, organizational structure, form of the ownership, its sectoral affiliation
– part of the data auditor is deliberately make incorrect from the legal and
accounting point of view
– Test data can be used repeatedly for other similar entities
Test data inputted to the client’s computer accounting system and result figures
obtained after processing are compared with forecasted indicators. If control amount
is equal to fact figures that correctness of data processing is proved.
The advantages of this method of inspection is its low Labor intensity. However
using of test data has some disadvantages. For example, it doesn’t process primary
and analytical accounting.
Auditing of algorithms of application software they make by the method of
imaginary data. As in the previous case, they make this inspection on the automated
workplace of an accountant in the environment of his accounting software. Auditor
works with copy of real database where he input imaginary data (employers,
creditors, assets ect.).
Processing algorithms of synthetic accounting but also primary and analytical
accounting too is subject of inspection by method of imaginary data.
This inspection has punctate quality. Auditor inspects algorithms with high risk of
errors. As in the previous case, previously auditor know financial reporting figures.
For example, it is advisable to check the correctness of the algorithms relative to:
– methods for calculating of amortization of non-current assets;
– salary calculation with all possible allowances and surcharges, as well as
deductions from it;
– write-off for expenses of transport and procurement costs of the enterprise
– write-off the expenses of production for total costs of the enterprise
– methods for stocks assessing for outputting, etc.
It is advisable to check algorithms of calculation valid not only at the time of
inspection and also all of them which are introduced in the software product. This will
avoid mistakes in the case of changing the company's accounting policies.
The labor intensity of the imaginary data method is high because of the input of the
imaginary data. Its monitoring in accounting and reporting must be done manually,
too.
5 Conclusions
�Auditing of software of computer accounting system often is ignores, but it is the
important part of is inspection. This is where the programmatic algorithms for
information processing are laid down. Error occurred in the software algorithms for
the processing of accounting information multiplied exponentially and can
significantly distort the financial statements.
Our research has allowed us to systematize the consistency and the content of audit
procedures in carrying out auditing CAS software. Namely:
1. There are so subjects of auditing of components of application software:
– Non-functional software (operating system, antivirus software, archive software,
web-browser, File Manager, Etc.);
– Functional software, namely database management system and application
software (accounting software).
2. We have discovered that while conducting software auditing, such important
component of CAS as DBMS is ignored. Therefore, we proposed audit procedures for
inspection of this object:
- auditing of the availability of separation of authorities and power among the
users of DBMS;
- auditing of the access’ restriction from the side of all users of the system
with a help of the authorized access into the database system;
- auditing of the availability of unauthorized operations within the system and
the determination of possible responsibility for entered changes into the database;
- auditing of the availability of reserved copies of the information from the
system of accounting database;
- analysis of the access’ rights into the system by the software (applications)
developers along with personnel of the information technologies department.
3. For auditing of application software (accounting software) they use a general
assessment of it and checking algorithms for information processing. Checking of
application software begins with an assessment of its overall status. The indicators for
such an assessment are type of software product, completing of data processing,
availability of rights to a software, availability and method of service, the regularity of
updating versions of the software, its individual modules, reporting forms and
documents, the availability of successful industry solutions. The results of the overall
evaluation of the software are reflected in the audit documents. They become the
basis for the formation of an audit opinion.
5. A key element of auditing of the software of computer accounting system is the
audit of algorithms of information processing. For its implementation is used control
data methods which are divided into 1) Test data method and 2) Method of imaginary
data. The advantages of first one is low labor intensity of inspection. It can be made in
the maximum automatized mode. However, its disadvantages is non-processing
primary and analytical accounting.
Inspection by second method – method of imaginary data has punctate quality.
Auditor inspects algorithms with high risk of errors. The labor intensity of the
imaginary data method is high because of the input of the imaginary data. Its
monitoring in accounting and reporting must be done manually, too.
References
�1. Al-Jabali, M., Tawfeq, R.Z.: The Relationship between the Information Systems of
Accounting, Auditing, And How to Provide Reliable Information to Characterize the
Service Auditor. Global Journal of Commerce And Management Perspectives. G.J.C.M.P
3(2), 95-101 (2014).
2. Auditing in a computer-based environment. ACCA Study resources. Homepage. Available
at: http://www.accaglobal.com/gb/en/student/exam-support-resources/professional-exams-
study-resources/p7/technical-articles/auditing-computer-environment.html, last accessed
20/04/2018.
3. Dododhov, A, Sabanov, A.: Providing personal data protection in the Oracle database. The
Art of Information Security Management. Available at: http://www.iso27000.ru/chitalnyi-
zai/zaschita-personalnyh-dannyh/obespechenie-zaschity-personalnyh-dannyh-v-subd-
oracle, last accessed 01/05/2018.
4. Golyash, I., Panasiuk, V., Sachenko, S.: The performance audit of a corporate website as a
tool for its internet marketing strategy. EUREKA: Social and Humanities 5, 57–66 (2017).
Available at: http://eu-jr.eu/social/article/view/419, last accessed 01/05/2018.
5. Handbook Of International Auditing, Assurance, And Ethics. Pronouncements Edition
Homepage. Available at: http://www.mas-
business.com/docs/2005_IAASB_HandBook.pdf, last accessed 01/05/2018.
6. Ivakhnenkov, S.: Computer audit: control techniques and technology. Znannia, Kyiv
(2005).
7. Jakšić, D.: Implementation of Computer Assisted Audit Techniques in Application
Controls Testing. Management Information Systems 1, 9-12 (2009).
8. Lendyuk, T., Sachenko, S., Rippa, S., Sopojnik, G.: Fuzzy rules for tests complexity
changing for individual learning path construction. Intelligent Data Acquisition and
Advanced Computing Systems: Technology and Applications (IDAACS) 2015 IEEE 8th
International Conference. Available at: http://ieeexplore.ieee.org/
abstract/document/7341443/, last accessed 01/05/2018.
9. Nelson, D.: How to Audit a Computerized Accounting System. Bizfluent. September 26.
(2017). Available at: https://.com/how-5939212-audit-computerized-accounting-
system.html, last accessed 01/05/2018.
10. Osamwonyi, O.: The Relevance Of Auditing In A Computerized Accounting System.
International Journal of Management and Applied Science 1 (11) 24-35 (2015).
11. Podolsky, V., Sherbakov, N., Komisarov, V.: Computer audit: practice allowance. Unity-
Dana, Moscow (2004).
�