[go: up one dir, main page]
Scribd
Upload
1K views3 pages

Auditing Online Computer Systems

This document summarizes and reviews an exposure draft from the International Audit Practice Committee regarding auditing online computer systems. It discusses the exposure draft's definitions of online systems and terminal types. It also outlines the exposure draft's descriptions of different types of online systems and its coverage of internal control issues. However, the review criticizes the exposure draft for not adequately addressing more modern terminal types, risks from viruses and hacking, and auditing complex e-commerce environments and third-party online transactions.

Uploaded by

Monggi Loid
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
1K views3 pages

Auditing Online Computer Systems

This document summarizes and reviews an exposure draft from the International Audit Practice Committee regarding auditing online computer systems. It discusses the exposure draft's definitions of online systems and terminal types. It also outlines the exposure draft's descriptions of different types of online systems and its coverage of internal control issues. However, the review criticizes the exposure draft for not adequately addressing more modern terminal types, risks from viruses and hacking, and auditing complex e-commerce environments and third-party online transactions.

Uploaded by

Monggi Loid
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

Vol.

3, July 15, 2000

Standards
Auditing Online Computer Systems
By John Yu, CDP, FCGA

As previously reported, in March 2000 the International Audit Practice Committee (IAPC) of IFAC
released an exposure draft on four topics which form a supplement to ISA (International Standard on
Auditing) 401 “Auditing in a Computer Information Systems Environment (CIS).” The four topics are:

 CIS Environments — Stand-Alone Microcomputers  


 CIS Environments — On-Line Computer Systems 
 CIS Environments — Database Systems 
 Computer Assisted Audit Techniques

In a previous article, I reviewed the exposure draft on standalone microcomputers. In this article, I’ll
review the exposure draft on On-Line Computer Systems.

Online computer systems


The exposure draft defines online computer systems as computer systems “that enable users to access
data and programs directly through terminal devices…” This definition is sufficiently broad as to cover all
forms of online systems, including the traditional smart server/dumb terminal variety, as well as the
client/server variety because the definition covers all possibilities.

Contrary to the impression many people have, traditional dumb terminals still run a significant number of
the world’s CIS environment. These range from terminals used by travel agents and older generation of
point of sale (POS) terminals for many retail businesses, to terminals used in airline check-in counters
and those used to run most of the legacy systems used in many corporations. The exposure draft
describes two classes of terminals: 

 general purpose terminals such as basic keyboard/screen, intelligent terminals that


can perform a certain amount of data validation, and microcomputers  
 special purpose terminals such as POS devices, automated teller machines, and
voice response systems such as those used in telebanking

While these two classes cover a number of terminals used in online systems, they fail to recognize many
more modern (and advanced) terminals. The following are some examples of devices used in online
systems not covered by the definitions in the exposure draft:  

 biometric devices used for authentication (for a more detailed description of biometrics,
see “Application of Biometrics”) 
 network computers such as Sun’s JavaStation 
 Internet devices or e-appliances, such as personal digital assistants (PDAs), WebTV, i-
opener, various net-phones, and net-cars (for a more detailed description of e-
appliances, see “What auditors should know about e-appliances”)

All these devices operate in an online environment as “terminals.”


Types of online systems
The exposure draft suggests five types of online systems:  

 online/real time 
 online batch 
 online memo update 
 online inquiry 
 online download/upload

Online/real time systems are the classic online systems where transactions update the master file
immediately.

Online batch systems are those with online data capture but batch updates.

Online memo update is defined as “On-line input with memo update processing, also known as shadow
update, combines on-line/real time processing with on-line batch processing. Individual transactions
immediately update a memo file containing information that has been extracted from the most recent
version of the master file. Inquiries are made from this memo file. These same transactions are added to
a transaction file for subsequent validation and updating of a master file on a batch mode.” According to
this description, the transactions only update a copy of the master file, without affecting the actual master
file. The master file is affected only when the transactions are posted later. For all intents and purposes,
this form of online system is really a batch system.

Online inquiry systems restrict the user to perform queries only.

By the description in the exposure draft, online download/upload sounds like another variation of the
online memo update system where the memo file is a copy of the master file downloaded to the terminal.
After it is updated locally, it is then uploaded back to the original master file for updating.

The section on “Characteristics of On-Line Computer Systems” (paragraphs 18 to 22) seems to be a


hodge-podge of comments without any particular focus.

Internal control issues


As can be expected, this exposure draft devotes significant time to internal control issues. In fact, two
topics (“Internal Control in an On-Line Computer System” and “Effect of On-Line Computer Systems on
the Accounting System and Related Internal Controls”) are devoted to these issues. While the coverage
of internal control issues is reasonably comprehensive, the placement of certain paragraphs seems odd
at times. For example, under the second topic, I found a passing reference to risks of viruses. The issue
of risks associated with viruses should be given more prominent coverage under the general discussion
of internal controls rather than specifically on accounting system controls. Coverage of firewalls and
hacking should also be strengthened.

Effect of online systems on audit procedures


The exposure draft makes the point that it is “more effective for the auditor to perform a pre-
implementation review of new on-line accounting applications than to review the applications after the
installation.” Here, the focus is on “on-line accounting applications,” and seems rather narrow.
Increasingly, e-commerce businesses are relying heavily on online sales systems that are focused on the
sales and marketing side of the business, and yet such sales and marketing applications are more
important to the business than the accounting applications, which the auditors ignore to their own peril. In
any case, often, auditors need to audit online systems after they are implemented, playing no part in the
implementation.
Some reference should be made to auditing online transactions that involve third parties. This is
particularly the case with some e-commerce sites where the online credit card processing is handled by
an agent or service provider authorized by the bank external to the e-commerce site.

Overall, the exposure draft makes a good attempt to bring the standard up-to-date. The only major flaw is
that it has not gone far enough to deal with an increasingly complex online e-commerce environment that
provides auditors with new and special challenges.

The IAPC will accept comments and suggestions up to July 31, 2000.

You might also like