Computerised Auditing-Methods and Practice

Contributed by the Board of Audit, Japan

1.    Introduction

Governmental agencies have been introducing computers in various operations in recent years for the purpose of swift processing of increasing amount of operations as well as their adequate control. Even in the very limited fields directly related to accounting matters alone, many computers have been used in tax collection, financing operation, insurance operation, pension opera­tion, inventory control, construction cost estimation among others.

With the introduction of computers, conventional accounting systems and methods using papers, pens and abacuses have undergone drastic changes, therefore exerting a great impact on internal control and audit trails in following audit procedures. That is, auditors can no longer depend on visible records but check the existence of adequate internal control system which ensures accu­racy of operations; the number of records which can be read only when processed by computers is increasing while intermediary and legible records which existed in conventional manual accounting processes are decreas­ing in number; also there are many cases in which audit trails are not available. Therefore, audit procedures had to be revised to cope with these problems.

The Board of Audit of Japan has been using computers in conducting audit for the purpose of swift and accurate processing of massive amount of data as well as drawing logical judgment, in an attempt to deal with computerized accounting systems.

The following are methods and practices of computer­ized auditing so far employed by the Board of Audit.

2.    Procedures for computerized auditing

(i)    Preparation for computer processing

After an organisation to be audited by using com­puters is selected, the content of its operations as well as documents on computerized systems are to be examined.

The following are kinds of data to be obtained for examination

  1. Types of computers in use as well as how they have been introduced,
  2. types and contents of programs,
  3. types, contents and formats of data files,
  4. types, contents and formats of output,
  5. procedure manuals describing operations (operation manuals and others),
  6. organisational chart and staffing table of the computer department (manager, SE, programmer, operator, key punch operator and others), and
  7. information on data in general (period of storing data, number of cases, recording modes and others).

After examining these documents, the Board will decide if computerized processing can be applied for specific items to be audited. If it is confirmed possi­ble, the Board will determine to what extent it can be applied.

(ii)    Preparation of a check list

Based on the examination described in (i), lists of items to be inspected (check list) are prepared. Lists may be prepared by picking out adequate items from existing general inspection manuals or by studying operation manuals of the organization under audit and deciding on items to be checked. Check lists are usually prepared by combination of these two methods.

These check lists are classified into some groups and placed in the order of priority in order to facili­tate preparation of audit programs.

(iii)    Data processing

There are some preparatory works to be done prior to actual processing by computer. External works include acquisition of data files to be processed, rental of computers and employment of SE and other supporting staff. Internal works include study on processing schedule, assignment of per­sonnel, designing of input and output data formats, system designing as well as preparation of block diagrams and others, coding, card punching and debugging. These works may be completed one after another, or be carried out simultaneously. In order to well manage the progress of these works, a time schedule should be prepared beforehand to make sure that each work is completed as has been planned.

Reports on the result of computerized audit processing will be analyzed and studied. Then an additional step such as preparation of letters of inquiry may be taken to bring the audit finding into the annual audit report, if necessary.

3.    Audit methods

There are two ways to audit computerized accounting systems by using computers. First, the degree of internal control can be evaluated at the time of field audit by inputting test data to a computer or by detail examination of selected programs and reprocessing of selected data with them. Under computerized systems, however, important data are kept in magnetic files and others so that they can not be examined with the naked eye. The other method is therefore to process audit trails into print out sheets or any other form by using audit programs so that they can be identified at the time of inspection.

(i)    Test-data method

This method is to determine if the programmed accounting processing way of an organization under audit is adequate. It is designed to verify adequacy of programs by inputting to a computer both correct and incorrect test data which are pre­pared on the assumption that they are applicable to several types of transactions.

Whether or not the checking function is working can be examined through computerized processing by using the test data, the programs actually being used by the organization and magnetic tapes and other files. Or, outcome prepared by the computer can be compared with results manually processed by auditing officials beforehand. Since it has been acknowledged that errors are included in the test data, this method is effective in examining not only processing procedures of a system but also its error control function.

However, it has some problems as well as merits.

  1. Although detailed information on matters to be tested are necessary for preparing the test data, it is considerably difficult to thoroughly understand the organization's program documents.
  2. Since there is a danger of damaging files used for daily processing by the organization, their duplicates have to be prepared especially for auditing.
  3. there is no guarantee that programs actually tested are the ones used by the organization for daily processing.
  4. Test data can be applied for any program and any type of computer. In addition, result of processing is easy to understand so that a clear-cut conclusion can be drawn.

(ii)    Detailed examination of selected programs and reprocessing of selected data with these programs.

This method is designed to confirm consistency of computer processing as well as original data put into the system. An organization under audit is asked to submit all the documents on some programs concerning important operations. After examining them in detail, programs are put into operation for processing. Outcome is then com­pared with results previously obtained by the organization. This method is also used to evaluate the quality of internal control by adding to a pro­gram orders for producing data required for auditing.

This one is regarded as very effective in inspecting complex and advanced computer systems. However, it can not be implemented without cooperation of computer experts.

(iii)    Use of custom-designed programs

This is the audit method using the custom-designed programs aimed at specific audit purpose based on specific files and data. Since programming requires too much time and labour, it is not suitable for a single or a few times of use. Therefore, it is used to verify a confirmation letter on the monthly balance of certain accounts or to prepare docu­ments to be used for auditing financing-related matters.

(iv)    Use of general-purpose programs

This is the audit method using a program pack­age, i.e. a set of ready-made program modules (each having independent functions such as conversion of input records, selection of data, computation, printing, summarizing, extraction of samples, sorting, merging, inserting). Desired auditing outcome can be obtained when supplemen­tary information is put into each component program in the form of parameters and is pro­cessed by using some of them selected and combined according to necessity. In connection with auditing by the Board of Audit, this method has the following advantage over the custom-designed program method.

  1. The method can be used by anyone who has basic knowledge of computers.
  2. Less time is required to prepare general-purpose programs 'since there is hardly any need for block diagram, coding and debugging necessary for custom-designed programs.
  3. Because of the characteristics listed in a and b, there are limited chances of making errors in programming. Since fewer program steps are needed to be prepared, the method is less costly in terms of rental fees for computers and other expenses.
  4. Partial changes in programs often become necessary as auditing progresses. General purpose programs can fulfill these needs without much trouble.

Some audited organizations use general-purpose programs in their business operations. In such cases auditing can be conducted by combining some of them and programs designed to check items to be audited.

Advantages in using Computers for auditing are listed as follows.

  1. Once programs are prepared, a massive amount of data can be analyzed rapidly.
  2. Since items to be audited can be extracted under certain conditions, less time is required for auditing.
  3. Even if data are added or revised, they can be processed by changing programs.
  4. Since the same method can be repeated when the same items are audited a few years later, auditors can confirm changes made during the years.

By making use of these advantages of computer systems, auditors can cope with computerized accounting systems and at the same time they can expand the scope of audit, improve the quality of audit and reduce the amount of clerical works as well.

4.    Past audit operation

Here are some examples of examination of financial records on inventory control of parts, loan control and others conducted by the Board of Audit with general-purpose programs.

(1)    Verification of adequacy of credit reserve for bad debts provided in the Corporation Tax Law.

This is aimed at examining if the amount of credit reserve for bad debts approved by the Corporation Tax Law reflects the actual conditions of private enterprises. Field audits were conducted at 205 taxation offices. Based on corporation tax returns and other documents presented to the taxation offices, 15,502 questionnaires on the amount of credit reserve for bad debts, were filled out. They were processed by computers in accordance with a general-purpose program called NHELP. These questionnaires were used to make out "a list of loss from bad debts" showing the extent and amounts of them by the size of capital and by the type of industry, "a list of the amount of credit reserve for bad debts", "a histogram for loss from bad debts" among others. Analyses were made based on these lists and charts.

(2)    Identification of principal income eanrers in case of aggregation of income from assets in accordance with the Income Tax Law

Out of records (master files) on taxes paid and pro­cessed in fiscal 1971 at two regional taxation bureaus, 27,515 cases related to taxation on aggregation of incomes from assets were audited by using a general-purpose program called HELP.

The Income Tax law stipulates that in case members within same household have interest, dividend and real estate incomes, taxes are levied on the principal income earner by aggregation of income from these assets. The principal income earner is the one who has the largest amount of income calculated by deducting assets income from the total income individually. If a principal income earner is mischosen, the amount of taxes to be imposed will usually differ considerably.

When a taxation office receives a final income tax return, it makes out data to be inputted to a regional taxation bureau. The bureau then inputs data to a computer. In an attempt to find out errors, the bureau incor­porates various check items into programs in accordance with "the guideline for computerized operation on reported income taxes" issued by the National Tax Administration Agency.

However, check items stipulated in the guideline did not include an item to identify "a principal income earner in case of levying taxes on aggregation of income from assets". Therefore, the bureau failed to find errors in 194 cases (some 46,550,000 yen was failed to be collected and over assessment amount totaled some 27,440,000 yen).

(3)    Loans being extended to unqualified borrowers Auditors checked 200,000 loans extended by the Small

Business Finance Corporation in 1972 to see if any loans had been granted to unqualified borrowers. A general-purpose program, HELP, was used in the process.

The Corporation has been lending long-term funds to small and medium size businesses at interest lower than that levied by private financing institutions in an effort to assist their development. Although only small and medium size businesses are eligible to receive loans from the Corporation, applicants' eligibility had not been checked by computer programs.

Computer processing of master tapes on loan cases found that loans had been extended to unqualified bor­rowers in 79 cases. Although further examinations revealed that 63 errors had been made in recording data at the time of endorsement of applications etc., the Corporation had granted loans to unqualified borrowers in 16 cases.

As a result, the Corporation ordered advanced redemption to these 16 borrowers. The Corporation also inserted a subprogram into programs which were processing loan operations to check eligibility of an applicant.

(4)    Duplicate affiliation in small-scale enterprise mutual aid scheme

Auditors checked the operations of the Smaller Enterprise Mutual Aid Projects Corporation (now called the Smaller Enterprise Corporation), such as mutual aid premium collection (about 470.000 cases), payment of benefits in case of accidents, management of loans to its members (about 220,000 cases) as well as four other major items in 1976, using a general-purpose program called RPG.

Although those who have already made contracts with the Corporation are not allowed to conclude new con­tracts and the maximum monthly premium is set at 20 lots (10,000 yen) per contractor, inspection of violation revealed that there were 256 cases of duplicate affiliation. Further examination was conducted on 26 cases in which a single contractor had made duplicate contracts exceed­ing the maximum lots of 20. It was learned that persons of the same family and personal names had made contracts in 9 cases. The rest of these 26 cases, 17 persons in all, were found to have made duplicate contracts with the total of more than 20 lots each. The total number of lots in violation of the maximum permissible amount reached 156 lots.

In response to people's demand for raising the maximum monthly premium, the Corporation increased the amount to 30,000 yen per contractor in May, 1977. In addition, the Corporation launched P.R. activities prior to the revision, studied better screening systems and streamlined clerical procedures, in an attempt to prevent recurrence of similar incidents.

Besides the1 four examples mentioned above, the Board of Audit used general-purpose program's in audit­ing operations. Some major audits conducted between fiscal 1971 and 1978 classified by the type of operation are:

With regard to loan business, the Small Business Finance Corporation, the Central Bank for Commercial and Industrial Cooperative, the Export Bank of Japan, the National Finance Corporation, the Agriculture, Forestry and Fisheries Finance Corporation and the Housing Loan Corporation have been audited.

As for inventory control, the Japan Airlines, the Defence Agency and Japan Tabacco and Salt Public Corporation have been audited.

As for taxation and insurance transactions, the National Tax Administration Agency, the Ministry of International Trade and Industry, the Small Business Credit Insurance Corporation, the Social Insurance Agency and the Smaller Enterprises Mutual Aid Projects Corporation (now called the Smaller Enterprise Corpo­ration) have been audited.

In addition, rent collection by the Japan Housing Corporation and fixed assets accounting by the Central Bank for Commercial and Industrial Cooperative have been audited.

(5)    Computerized auditing in future

Audits so far carried out by the Board of Audit can be divided into those on the entire processes of specific operations (loans by the Small Business Finance Corporation) and those on analyses and computation of data of specific operations (verification of the adequacy of credit reserve for bad debts). Computers were introduced into auditing procedures only recently. Proper methods for audit and inspection have to be developed through trials and errors to meet the present need. Knowledge of oper­ations under audit as well as computers are necessary for effective auditing using computers. It should be kept in mind that data are not interchangeable if computers used by organizations under audit are products of different manufacturers. Furthermore, computerized auditing can not be carried out without cooperation by organizations under audit. It is hoped that they will establish a systematic custody method for keeping documents on computer systems as well as files necessary for audit in order. Auditing institutions, on the other hand, have to be careful about keeping the secret. Cautions should be taken not to let data kept by organizations under audit be leaked out.

In future audits using computers, it will be important to make clear what should be focused and what should be done on them. Computerized auditing methods should be developed to suit the nature of data processing by computers which is based on strictly logical operations. Considerations should be also given to characteristics of computers, possible irregularities by use of computerized systems, ideal internal controls in computerized systems and roles of computerized audit. Taking into considerations all these factors, it should be made clear what kind of auditing technology is necessary and effec­tive in achieving the purpose of audit. It will be also necessary to improve or establish systems and procedures of computerized auditing, and questionnaires on internal control.