INTRODUCTION
TO COMPUTER AUDITING
There are two approaches to auditing in a computer environment. The first, known as ‘Auditing through the Computer entails accessing, testing, processing, analyzing and reporting the electronic data in their electronic state with the objective of ensuring their validity and conformity to expected specifications. This is done utilizing specialized application programs and or other software known as Computer Assisted Auditing Techniques (CAAT).
The second approach to auditing in a computer environment is known as ‘Auditing Round the computer’. This method treats the computer as a ‘black box’, and analyses computer reports without necessarily using computers directly. The major reason for the wide-spread use of this method includes the fact that only some aspects of business operation has been computerized in most of the businesses in Nigeria, including banks; whereas, an audit, in order to be reliable, must be as comprehensive as possible, covering those other areas not computerized.
As high
level automation is the hallmark of today’s financial industry, the
Bank Inspector or auditor cannot ignore computer auditing any longer.
What challenges does the computer pose to the Inspector/Auditor? They are many:
The supersonic speed at which transactions are processed. In a split of a
second, a computer can process millions of transactions, transfer billions of
naira to any account anywhere in the world.
· The ease with which computer fraud can be committed- even from the privacy of a criminal’s room, and the difficulty of detection. In fact, the computer criminal does not even have to worry about any gun-toting Policeman chasing after him!
· The risk of knowledge gap between the Inspector and the computer personnel (the gurus), making it difficult for the Inspector to know when a change to a program or data file such as an addition, a deletion or a fresh input in the system by a computer staff is a fraudulent one. A computer fraud can be committed right under your nose by a knowledgeable person, if you are ignorant of what the criminal is doing!
· The risk of systems break-down and the attendant loss of control during the ensuing period until recovery or restoration takes place. Some errors — deliberate or not — committed during such period take ages to rectify and may eventually become a case for write-off.
WHAT SHOULD THE INSPECTOR OR AUDITOR DO IN THE FACE OF THE ABOVE?
For an all-round computer audit, the following steps are recommended. Of course, they are not exhaustive:
1. The Inspector/Auditor, should be involved at the planning stage of computerization of any aspect of the bank’s operation. Experience in some banks show that this is hardly the case. Computers are installed, a select number of staff are trained as users, and the Inspector/Auditor, only stumbles on the gadgets when comes visiting the branch for inspection! As the computers were not there during the last inspection of the branch, no mention would have been made in the last report. Pity the traditional inspector grounded in his conservative style, who visited the branch five years ago, and who has had not even a computer appreciation course coming to inspect such a branch. Your guess as to the quality of his inspection is as good as mine. On the other hand, if the Inspector/Auditor is involved from the planning stage, he would consider the implications of computerization to his audit plan and adjust his programs to capture the relevant control areas as much as possible.
2. The Inspector/Auditor, should be carried along at every stage of amendment of programs. Some fraudulent computer staff take opportunities of computer breakdown to install their own programs that could fraudulently transfer funds or do any other delinquent act. There should be a log on the visit of each programmer to each branch, noting date of visit, specific errors he came to amend, signature of branch staff present during installation of the amendment software, etc.
3. Ensure that adequate controls exist during systems breakdown to avoid fraudulent manipulations at such times. A register of dates of breakdown, and date of restoration should be kept by the local I.T. staff.
4. There should not be any delay in call-over of daily transactions. Computer frauds, due to the element of speed, need to be detected at the earliest possible time. This is impossible if call overs are left in arrears.
5. Pay particular attention to the following areas:
· Account Opening
· Cheque Clearing
· Electronic funds transfer
· Dry posting of transactions
· Cheque encoding
6. To be an effective inspector/Auditor, you must not only be computer- literate, but also have a good knowledge of basic traditional transaction processes under normal circumstances, so that any step taken, which, in your own point of view is a deviation, can be easily detected and followed up for confirmation. This is because computer software is developed along existing banking procedures, only eliminating unnecessary steps without losing control. A good knowledge of traditional processes is therefore invaluable to an inspector/auditor. No doubt, the computer age has come to stay. The auditor or inspection either has to stand tip to this fact and update his knowledge accordingly, or he risks being rendered irrelevant to the new environment.
Subscribe by Email
Follow Updates Articles from This Blog via Email
No Comments
comment section