Division of Research Graduate School of Business Administration The University of Michigan July 1980 AUDITING OF COMPUTER-BASED INFORMATION SYSTEMS Working Paper No. 225 David G. Carney United States Navy Alan G. Merten The University of Michigan FOR DISCUSSION PURPOSES ONLY None of this material is to be reproduced without the express of the Division of Research. quoted or permission The authors would like to express their sincere appreciation to Professor Robert K. Mautz of the Paton Accounting Center, University of Michigan, for his assistance.

Section 1 INTRODUCTION In the three decades since their introduction into the business environment, computers have become synonymous with information systems for many organizations. Rapid technological changes in computing capabilities have revolutionized the world of data processing and information systems. Such systems are vital elements in the development and management of the complex and intricate production, marketing, distribution, and financial:networks which'represent the modern business structure. Advancements in hardware capabilities represented the yardstick by which technological progress during the first two decades of the computer age was measured. As illustrated by Figure 1, hardware advancements were comprised of the development of large-scale computers which provided: 1) ultra-high-speed processing 2) the capability to do complex computations on large amounts of alphabetic and numeric data 3) enormous primary and secondary storage capacity. Computer generations were defined in terms of the most significant hardware technology breakthroughs. With the focus on hardware, software development evolved as a support discipline to aid users in harnessing the expanding hardware capabilities. By the mid-1960s, it was evident that the software element provided an additional resource to be exploited in sustaining the rate of computer technology advancements (Figure 2). First-generation software supported the centralization of business functions on large-scale computers. The developmentof timesharing, a second-generation software, provided a vehicle for diverse user groups with smaller data processing requirements to benefit from the capability and capacity of large-scale computers. As computer resources became an integral element of

la H %0 -- on i- - 01 on 0 O Cn - 0 * - 0 o>-4 0 01 0 dC( -t C) thJ z: hi 0 H z N) CJ pi M O z H 0 z rt Z: H 0.z..r p "' I _ '~.:X ^;t r. ~l t ENIAC UNIVAC I HIGH SPEED DRUM MAGNETIC CORE RANDOM ACCESS STORAGE MAGNETIC DISK TRANSISTORIZED COMPUTERS fj H r REMOVEABLE DISKS HONEYWELL 200 INTEGRATED CIRCUIT COMPUTERS RESIDENT DISK FILES IBM 360 IBM 370 HONEYWELL 6000 MASS STORAGE

FIGURE 2 0 0 H vn I o Q. P4 0 P ~-D r3 z H P).n U 0 pfn r, r CD z PI H iE rr H H U) H E-t.. *...... 2nd GENERATION 3rd GENERATION SOFTWARE;9 Ist GENE TION!st GENEIPIATION 1945 1950 1955 1960 1965 1 1 980 1945 1950 1955 1960 1965 19 0 19 5 1980

-2 - the corporate structure, the perspective of the business community changed. With hardware capable of storing and processing large quantities of data, operating managers wanted data for current management decisions as well as results of operations. In meeting this request, EDP professionals, often unfamiliar with traditional accounting methods, developed a new way of looking at data, Database Management Systems. In retrospect, it can be seen that two perspectives of a more abstract nature exerted a major influence in the development of computers (Figure 3); (1) basic processing technology and (2) its application to specific needs, The process orientation guided the development of the media and method for storing and retrieving data. The application orientation reflects the evolution of perceptions as to the most efficient and economical means of combining data into records and files. The data redundancy and physical structure of early EDP file systems was heavily influenced by constraints experienced in manual systems. Advancements in the filing and storage aspects of EDP technology allowed software developers to employ a logic of data relationships quite different from that embodied by manual accounting systems. Viewing the perspectives of Figures 1 through 3 in the aggregate, it is evident that three identifiable generations of software technology have existed and that we have now entered the fourth generation (Figure 4). As with most other technological and scientific advancements, advances in available systems technology have not always been effectively utilized. Organizations, immersed in the immediate problems of sustaining operating efficiency and content with currently implemented information technology, often inadvertently failed or specifically chose not to devote the resources necessary to take advantage of an emerging generation.

FIGURE 3 U H H U H EH ~H C)S PROCESS ORIENTATION 1st GENERATION 2nd GENERATION (SEQUENTIAL, ONLY) (SEQUENTIAL, AND RANDOM) FILE SYSTEMS DBMS DATA INTEGRATION APPLICATION I-... ORIENTATION 1st GENERATION 2nd GENERATION co CM. 19 5 I I 1 19 Ir r i I X rTn7i i7 i iN i 1,i r lt 19'45 1950 1955 1960 19 5 190 195 1980

FIGURE 4 SYSTEMS GENERATIONS.. DATABASE DISTRIBUTED MANUAL SYSTEMS EDP FILE SYSTEMS SYSTEMS SYSTEMS 1st GENERATION 2nd GENERATION 3rd GENERATION 4th GENERA iTION C'0 CM 4 I I I I I I I I I I I I I 5 I I I L I I I I I 1 8 [ 1945 1950 1955 1960 1965 - 1970 1975 1980

-3 - The interfacing professions, including accounting and auditing, have tended to act on the assumption that the current implemented system retains a similarity to previous manual systems. The result of such an assumption is an erroneous perception of what expertise is necessary to understand a client's system, as well as an unanticipated rate of obsolescence of clientst information systems. Our perception of the relative technological progress in systems technology, accounting, and auditing is illustrated by Figure 5. Although users continue to express their needs at a high rate, user capability to assimilate and fully exploit available technology has lagged behind systems technology, as a result of an incomplete understanding of the potential of technology. Auditing may well lag behind both user capabilities and system development. Section 2 PURPOSE The purposes of this article are twofold: (a) to provide a brief history of the four systems generations and (b) to examine the audit perspective. The four systems generations are: (1) manual systems, (2) EDP file systems, (3) database systems, and (4) distributed database systems (Figure 4). Each of the generations, as well as the impact of the use of the technology on auditing, will be discussed. Section 3 SYSTEMS GENERATIONS Manual Systems Manual systems, which span the majority of the period of historical development, comprise the first generation. Invention of movable type in the fifteenth century gave seed to the early systems explosion. That same century saw the emergence of two systems-related professions, accounting and auditing. One of the earliest references to performance of annual audits was in Cromwell

3a Feasible Systems Technology /f? Implemented Systems Technology >1 0 0 0 z U rl E-i / J 000..le 000 ACCOUNTING I- _ 0 / go-ow f _- $ f _ - -I -..'-O a *,. _, AUDITING *~A - a - - n - - - I I I 1945 I I 50 55 60 65 70 75 80 60 65 70 75 80 FIGURE 5 PERCEIVED TECHNOLOGICAL ADVANCES

-4 - Household Accounts (1417-1476). Pacioli's Summa de Arithmetica Geometria, Proportioni et Proportionalita in 1494 provided the first published work describing double-entry bookkeeping systems (Brown [1968]). Auditing and accounting grew to maturity together, but development was slow. The British Registered Companies Act (1862), requiring independent audits of stock companies' financial statements, was significant in.recognizing the importance of the auditing profession. However, almost three quarters of a century passed before the United States enacted similar legislation through the Securities Act of 1933 and the Securities Exchange Act of 1934. Prior to the 1850s, business organizations were typically small, geographically centralized, and managed by the owner. Little need existed for formalized information systems. However, railroad expansion required enormous amounts of capital and diverse managerial skills to build, operate, maintain, and finance the vast transportation networks. To support these networks, a well-defined organizational structure evolved, and the owner manager was replaced by professional managers and absentee owners. This new environment necessitated the development of formalized information systems to provide the data for operations, administration, and evaluation of the increasingly complex business organizations. Concomitant growth of telegraph and telephone networks and a much improved mail service provided media for rapid transmission of operating and financial data to support managerial decision making. Improved speed of data flow required even greater formalization of information systems. The rate of technological change during this period of development was modest and remained within the context of manual systems. This relatively tranquil environment permitted the accounting and auditing professions to evolve at a rate compatible with that of systems technology. The extended manual system generation procreated a large tradition of accounting procedures and audit perspectives, many of which are still evident today.

-5 -Manual systems, through the combination of ledgers, journals, and physical proof of transactions, brought data together into a logical framework for recording each transaction. Data relevant to each entry was recorded in contiguous columns, rows, or data fields. From inspection of the accounting books and files, one could perceive what informational elements comprised each entry and could determine directly or by inference the relationships among entries and files within the accounting database. Auditors were able to traverse the collection of data through well-defined and permanent audit trails from transaction entry to financial statements. EDP File Systems The computer age, with the advent of ENIAC in 1946 and the first business applications of the computer in the early 1950s, marked the beginning of secondgeneration systems. Viewed primarily as high-speed data manipulators and mass storage media, computers were used to mimic manual systems, thus perpetuating the manual file structure and transaction orientation. Computer applications were highly compatible with the functions performed on pre-computer accounting machines; therefore, accounting functions became major consumers of first-generation business computer resources. This compatibility initially allowed accounting to grow with EDP development. Because the EDP file system retained the physical integrity of accounting records and the EDP accounting books and files were stored in much the same format and contained the same data as the displaced manual system, auditors could continue to determine directly or by inference the relationships among entries and files within the accounting database. Emulation of manual systems preserved traditional audit trails from transaction entry to financial statements. Therefore, a high degree of audit technology was directly transferable to EDP systems. Subsequent advances in EDP

-6 - technology, which made data more easily accessible by the user community, remained essentially within a file-oriented context. Constancy of the data structure between manual and advanced EDP file systems reinforced the perception that computers did not represent a significant threat to audit technology. Therefore, the auditing profession continued to focus its attention on a transaction review external to the computer. Database Systems Database systems represent-the third generation. f systems software. In the late 1960s and early 1970s, management began to recognize the need for a radical departure in organizational use of the computer and, in particular, in management's view or attitude toward data. Experience gained in the first twenty years of computer applications to business led inevitably to recognition of the fact that conventional accounting type files were both expensive and inefficient. For many, data became a valuable corporate resource which had to be managed in a cost-effective manner. Efforts were made to avoid storing a given data element in more than one place. Preplanned reports, as well as ad hoc inquiries, 1 would access this single nonredundant collection of data. At the same time, computer hardware and software vendors began to market general purpose software which had the capability to store and maintain large, integrated collections of data (called databases) and which provided a degree of independence between the structure of the data and the computer program. These general purpose software packages are commonly referred to as Database Management Systems (DBMS). Using the DBMS, user organizations can and are building special purpose databases and database systems to support their operational and management activities. Stored records that preserved the physical integrity of accounting books and files, characteristic of manual and EDP file systems, were no longer maintained. Data supplanted records as the common denominator of stored information. -- - -- _._ _....

-7 - Although one piece of data could logically be related to more than one portion of the accounting books and files, it was unnecessary to store that piece of data as a physically integral part of an accounting type record if the computerized database provided the logic to recover that data for any accounting purpose. The result was elimination of the data redundancy common in manual accounting systems. It was no longer necessary, or even desirable, to emulate the processing of a transaction, from journal to ledger to financial statements. Through the DBMS and specific user programs, any transaction which affected a data item of interest resulted in an automatic update of that data which would be reflected in any and all uses. Distributed Systems The 1970s conceived not only DBMS and database systems but also distributed systems, a fourth generation. Distributed systems, which provide for a network of computers (usually minicomputers) to distribute the data processing burden, provide the potential for centralized administration, but physical dispersion, of data and processing. User demands for increased accessibility to corporate databases for higher levels of system responsiveness to organizational needs inspired the idea of placing portions of the database, either in detailed or summary form, "near" primary users. Many of the early "distributed" systems provided only modest extensions of centralized systems. These early systems often did no more than distribute the input and display functions or, in some cases, automated decentralized systems which were previously manual (Figure 4). Unfortunately, this miscategorization continues. Failure to distinguish among distributed databases, distributed processing, or the combination of distributed processing and distributed databases has created confusion as to what actually will constitute a fully distributed system (Carney and Merten [1979], Deppe and Fry [19763, aid Enslow [1978]). If an auditor's first experience with a "distributed" system is with an incomplete one, it must be anticipated that the impact of such systems on auditability will be discounted.

-8 - Section 4 A SOURCE OF POTENTIAL AUDITING PROBLEMS This brief review of system evolution provides a context in which the impact of computer systems on auditing may be further examined. As discussed thus far, it would appear that each generation evolved from its predecessor. However, microanalysis indicates that such is not the case. Not only does a gap exist between the technological sophistication of systems and those who must interface with the systems, but an intergenerational gap exists among the various elements and perspectives which combine.to represent a system. While it is clear that hardware has exhibited the most rapid evolution, followed closely by system software (operating systems, telecommunication systems, DBMS), these two elements have not evolved synchronously. Similarly, the system software components in a given environment are not necessarily all of the same generation. The intermixing of hardware and systems software generations has been a source of confusion to those attempting to assimilate complex systems. Therefore, some authors have chosen to combine hardware and system software into a single element of total system evolution. The more user-oriented elements (Figure 3) evidence much slower development than either hardware or system software. The impact of manual systems on EDP technology is most evident in the application element where a file orientation persisted until 1970, and in fact is still the predominant orientation found in current installations. The slowness with which file systems are being replaced by database systems may in part be explained by three factors: 1) The time.required for the business community to assimilate the sophisticated systems capabilities currently available; 2) The extensive time, effort, and cost required to convert an organization from one technology to another; 3) Organizational inertia favoring "current procedures" which has created resistance to change and retarded efforts to achieve parity with system technology.

-9 - The caution with which the business community has followed technology, combined with the rapid system evolution and intergenerationally mixed system complexity, has encouraged the interface professions to assume a "follow business" approach. The large body of traditional audit practices, developed primarily to audit businesses which exist in a file-oriented environment, has provided a context which is not conducive to developing audit technology for emerging EDP systems. This fact, coupled with the application orientation of EDP file systems audited to date, has provided little incentive for auditors to maintain sufficient depth of knowledge in the system design and architecture technology of emerging generations. Section 5 AUDITING PERSPECTIVES The audit objective transcends the method of processing information. Most articles and texts emphasize this quality when introducing the topic of auditing in an EDP environment, as illustrated by Management, Control and Audit of Advanced EDP Systems (1977), which states that "although specific audit procedures may differ, the auditor's objective does not change when EDP is utilized in the accounting process." Constancy of the audit objective, regardless of audit procedures, is essential to provide a stable foundation on which to build the audit framework. However, focusing on the constancy of the audit objective must not be permitted to inhibit development of innovative procedures to accommodate new generation EDP systems nor to justify the use of audit procedures applicable to manual systems when auditing EDP-oriented systems. Working around and through the computer, using conventional control techniques regardless of the processing technology employed, and waiting for technological development before acting will increase the problem.

-10 - The First General Auditing Standard, which establishes the importance of professional competence, states that "the examination of financial statements is to be performed by a person or persons having adequate technical training and proficiency as an auditor" (AICPA, 1973).. The meaning of professional competence for those auditing an organization which employs advanced EDP technology has been expanded as follows: "The auditor of an organization using advanced EDP systems will need to possess adequate knowledge and experience in EDP in addition to that required in accounting, auditing, taxation, and related subjects." The importance of satisfying this standard must not be underestimated for the following reasons: 1) Auditing should not be a constraint on the most efficient use of available technology; 2) Accounting functions are particularly compatible with EDP capabilities; 3) Self-imposed measures of competence are better than governmentdictated measures. The comments which follow will explain each of the above reasons. Auditability of EDP-oriented systems is critical to their successful implementation within a business organization. Immense talent and investment are being devoted to development of sophisticated, computer-based information systems. The danger of unauditability increases more than proportionally to the level of sophistication. Unless auditing procedures at least stay current with computer technology, including maintenance of an in-depth knowledge of hardware and system software, businesses will be forced to accept less capable, although auditable, systems than would otherwise be desired. The inference in this statement is not that auditors should relax the requirements in order to

-11 - develop auditable systems, but that auditing practices should not encumber EDP progress. Compatibility between accounting and EDP capabilities ensures the continual growth of EDP-oriented accounting systems and the need to improve procedures to audit such systems. With declining hardware costs, the user base will grow rapidly. Auditors previously serving manual-system-oriented clients will suddenly be confronted by a new challenge. These auditors, primarily members of smaller accounting firms, must acquire competence in EDP technology. Users and EDP professionals will resent any constraint on development of new systems. Nor should it be expected that EDP professionals will become conversant in auditing requirements in order to build more auditable systems. Auditors, both independent and internal, must initiate the integration of auditing and EDP disciplines, not just at the client implementation stage, but at the precommercial development stages. Unless the EDP and auditing disciplines voluntarily integrate, both professions are vulnerable to government-imposed requirements for integration or externally imposed standards of competence. The computer age brought with it a new challenge for auditors, one that increases with each improvement in technology. The file orientation of early EDP systems permitted a high degree of auditing knowledge transfer from manual systems. Although processing was centered within the EDP department, separation of duties was still possible, and traditional audit trails were largely undisturbed. As systems became more complex, traditional audit procedures continued to be modified. Evolution of third- and fourth-generation systems, however, has brought auditing to the technological threshold beyond which its traditional procedures will be inadequate. Predominance of live data transactions and audit trails with short "half-lives" requires a new orientation with greater dependence

-12 - on system-generated aids, on the internal audit function, and on reconsideration of the timing of audit functions. An alliance between auditors and EDP professionals to develop adequate internal control is necessary to ensure system auditability. Internal control should be of utmost concern to both professions. Without effective internal controls, data integrity, back-up and recovery capabilities, and data security will be jeopardized. Therefore, abrogation of internal control procedures would be counterproductive on the part of EDP personnel. The importance of effective internal control from the auditor's perspective is self-evident. Working together in research and development of both general and special purpose systems enhances the validity of both group's efforts. As a natural by-product of performance monitoring, EDP systems provide many potential audit tools on which auditors may capitalize. Back-up and recovery procedures dictate the existence of file and database re-creation capability (grandparent/parent/child files and their associated transaction files). Checkpoint files, transaction logging, and user application logs represent only a small sample of other kinds of system-generated documentaion which are potential audit tools. However, the effective life of such tools may be extremely short, requiring the auditor to alter the timing (i.e., surprise audits rather than year-end audits only) and sequence of many audit procedures. As audit trail lives decrease inversely with system complexity, the role of the internal auditor takes on increased significance. Third- and fourthgeneration systems will require that independent auditors look increasingly to internal auditors for support. Two recent surveys indicate that approximately 60 per cent of the larger U.S. corporations now have specialized internal EDP audit functions (Perry and Warner 11978, Mautz, et al..[1980]). Another

-13 - research study indicates that external auditors would be willing "to adjust the audit scope of their EDP-related activities when they were satisfied about the 'independence' and 'quality of work' of the internal auditor" (Rittenberg and Davis [1978]). Internal auditors are in the best position to ensure that system auditability is incorporated during system implementation, and the shortened audit trail life of third- and fourth-generation systems necessitates increased dependency on the internal auditor. Section 6 SUMMARY AND CONCLUSIONS An understanding of EDP system evolution and the impact of the various generations and phases is only a beginning. The method of data processing does impact accounting functions, and auditing must respond to technological changes initiated and controlled externally to the accounting function. These are facts to which auditors must reconcile themselves. Auditors cannot wait until the basic control elements have been defined, nor until "considerably more experience is gained...before reaching a consensus about accounting controls" (AICPA, 1977). In an environment of third- and fourth-generation EDP systems, it is clear that: 1) the profession must establish educational standards that will not only keep auditors abreast of systems development, but will serve to close any professional gap that may develop; 2) the role of the internal auditor will be of increasing importance to the independent auditor, and to that end these professions must adequately respond; 3) auditors must become actively involved in the design and development of new EDP technology. For auditing to be viewed as a profession which is a leader rather than a follower in EDP technology, it must act positively to meet the challenge.

-14 - 1. AICPA, Management Advisory Services Guideline Series Number 4; Guidelines for Development and Implementaion of Computer-Based Application Systems (New York: AICPA, 1976). 2. AICPA, Management Control, and Audit of Advanced EDP Systems (New York: AICPA, 1977). 3. AICPA, Statement on Auditing Standards (SAS #1) (New York: AICPA, 1973). 4. AICPA, The Auditor's Study and Evaluation of Internal Control in EDP Systems (New York: AICPA, 1977). 5. Brown, Richard, A History of Accounting and Accountants (New York:.~. + A. M. Kelley, 1968). 6. Carney, D.G., and Merten, A.G., "Impact of Distributed Computer Systems on Auditing," (Working Paper No. 182, Graduate School of Business Administration, The University of Michigan, 1979), 7. Commerce Clearing House Topical Law Reports: Accountancy Law Reporter, 2nd ed., Vol. 1 & 2 (Chicago: Commerce Clearing House). 8. Deppe, M.E., and Fry, J.P., "Distributed Databases: A Summary of Research," Computer Networks 1, 1976. 9. Enslow, P.H., Jr., "What is a 'Distributed' Data Processing System?," Computer, January 1978. 10. Mautz, R., Kell, W., Maher, M., Merten, A., Reilly, R., Severance, D., and White, B., Internal Control in U.S. Corporations (New York: Financial Executives Research Foundaion, 1980). 11. McRae, T.W., Computer and Accounting (New York: John Wiley & Sons, 1976). 12. Perry, W.E., and Warner, H.C., "Systems Auditability: Friend or Foe," Journal of Accountancy, February 1978. 13. Rittenberg,:L.E.., and Davis, G.B., "The Role of Internal and External Auditors in Auditing EDP Systems," Journal of Accountancy, December 1977.