Auditing through the computer and auditing the around computer are two phrases that are often misunderstood by very many people. The increased reliance on computers and computer applications for business processes created the need for auditing to be done in a computerized environment. In fact, auditing is gradually becoming synonymous to IT auditing. This no doubt increased the need for auditors to carryout an IT Audit Risk Assessment. In this article, I will explain what the above two phrases means, pointing out reason why one should be used in favour of the other.
AUDITING THROUGH THE COMPUTER
Auditing through the computer describes the various steps taken by auditors to evaluate client’s software and hardware to determine the reliability of operations that is hard for human eyes to view and also test the operating effectiveness of related computer controls, e.g., access control.
Auditing through the computer is common in practice today as many companies/ businesses make use of computerized information systems and these in turn have significant controls embedded in them. Ignoring these computer controls will make auditors not to have the required insight into the effectiveness and reasonableness of the client’s internal control. And will not be reporting in compliance with the relevant laws and regulations that govern auditing as a profession.
Though, external auditors most times uses this technique to test the controls in simple applications, but, internal auditors more frequently uses auditing through the computer technique to ensure that errors that may not be easily detected from the output are discovered and corrected.
AUDITING AROUND THE COMPUTER
Auditing around the computer is one of the several methods that auditors can use to evaluate a client’s computer controls. It involves picking source documents at random and verifying the corresponding outputs with the inputs. The client’s computerized information system processes the ‘test transaction’. For example, multiplying unit price with the number of products sold to ensure that the total revenue figure is correct.
No attempt is made to establish and evaluate the existence of controls. Auditing around the computer is appropriate in situations where significant computer controls are not required. For example, auditing around the computer can be used when computers are only used for calculation purposes.
Though, nothing is technically wrong with auditing around the computer if the auditor is satisfied with the control system in place and is able to gather sufficient evidence in this regard, but, in order to meet with the requirement of gaining sufficient understanding of a system (internal control), auditing through the computer will be the best bet for auditors to follow. Again, AS 5 (Auditing Standard) did not permit auditors to issue opinions on the operating effectiveness of internal control of a business if auditing around the computer approach is used.
To reduce auditor’s liabilities, auditors should assess control risk in a computerized system and, if appropriate, should evaluate the design and operating effectiveness of related controls. To ensure that the client’s management operates according to the generally accepted auditing standards (GAASs) and SOA (Sarbanes-Oxley’s Act of 2002) which is to establish and maintain an operational and functional internal control, auditors should employ auditing through the computer and not auditing around the computer.