Audit around the computer means that processing done by the computer system needs not to be audited as auditor expects that sufficient appropriate audit evidence can be obtained by reconciling inputs with outputs. In simple words evidence is drawn and conclusions are reached without considering how inputs are being processed to provide outputs. Sometimes it also means conducting audit without the use of computer system. However, former is widely understood meaning of the phrase. Now a days audit around the computer is considered as an auditing approach. It is more often known as black box audit approach
Most often this approach is used either because:
- processing done by the computer is too simple e.g. casting, sorting etc
- auditor is already aware of the software’s reliability. This is the case with most of off-the-shelf software used by client without any in-house alteration and thus need not to be checked.
- auditor has no mean to gain understanding of the computer system and thus resorts with this approach. This situation can arise out of circumstances including:
- lack of appropriate system documentation
- auditor lacks expertise or skills to understand or use the computer system for auditing purposes.
- auditor is not given access to computer system at the level required
Audit around the computer approach is used in situations when auditor is of the opinion that computer system is reliable and often comparison of inputs i.e. source documents to outputs i.e. financial reports is done which in auditor’s judgement is enough. In other auditor will not assess whether required controls are in place and if they are working operating effectively while inputs are processed. Due to the same reason, relying too much on this approach is not recommended for important aspects of the audit especially where assessed risk is high as this may result in ineffective audit and ultimately inappropriate audit opinion being expressed by the auditor.
As mentioned earlier that auditor will bypass computer system and will not check for existence and/or operating effectiveness of controls in processing data therefore auditor may use any one or combination of the following methods:
- Output oriented method: Sample select the information generated by the computer system (output) and compare it with auditor’s ideal system or information gathered from other sources or evidence collected by the auditor by the application of other audit procedures. For example comparing receivables balances with the statement of accounts received from customers or comparing stock records with reports of inventory counts
- Input oriented method: Sample select source documents (input) that are fed in to the computer system for processing and auditor independently processes the inputs using his own computer system or software and then compare the outputs generated by auditor’s computer system with the output generated by the client’s computer system to confirm accuracy, completeness and other assertions. Auditor’s processing may be manually done without getting any assistance of the computer. For example client’s system reports that cash book balance reconciles with bank balance as per bank statement. Auditor may conduct his own reconciliation to confirm whether it is true.
As discussed earlier that this approach comes with serious drawbacks and may render audit useless. Getting technical we can discuss how the above two methods can limit audit effectiveness:
For instance in output orient approach auditor is considering only the final product ignoring what has been fed into the system i.e. input might be incomplete or altogether wrong and auditor looking at output cannot identify such problems. For example comparing stock records with inventory does not help auditor in identifying whether inventory has been misappropriated. For this auditor has to match output with input i.e. source documents like purchase orders, goods received note, goods despatch note etc.
Similarly, in input oriented approach, although it is better than output oriented approach as auditor reperforms the process independently and output must match, however, auditor has no way of finding if the computer system has been programmed to give similar results if client’s system is used. And if auditor has its own computer system then cost-benefit issues may arise. Moreover it may be very difficult to ascertain the reason of deviations and for that auditor has to inspect the system itself.