Conducting audits when electronic data processing system is used

NCUA-CG – IMPACT OF DATA PROCESSING
The responsibility of the supervisory committee to protect the assets of the credit union remains the same whether or not the credit union uses data processing facilities. Electronic Data Processing (EDP) or computer systems are used for collecting information from the credit union’s members and other sources, processing that information and distributing information back to the members or retaining it for the credit union’s internal use with unprecedented speed and accuracy. The computer makes possible the development of information for complex budgeting and forecasting which could not have been gathered and processed in the past because of time and cost limitations. The auditing of an EDP system and evaluation of the internal controls surrounding the EDP system are highly specialized, therefore, supervisory committees should leave these audits to professional auditors experienced in EDP auditing.

NCUA-CG – HIRING AN OUTSIDE AUDITOR
Beyond the EDP audits, supervisory committees of credit unions large enough and complex enough to have computerized record systems rather than manual systems should consider turning the entire audit over to professional auditors. The performance of the audit procedures, evaluation of internal controls, interpreting and communicating the results of the audit of a multi-service credit union exceeds the limitations of most supervisory committees. In these situations, the supervisory committee should look for an outside auditor. Many CPA firms, as well as some independent auditors and some league auditing departments have auditors with sufficient expertise to perform the entire audit of a credit union, including that of the EDP system. The choice of an auditor should not be left to chance. Neither should it be based on price alone.

The supervisory committee should interview CPA firms or independent auditors, questioning them about their experience in auditing credit unions with similar EDP systems. The decision to hire one firm over another should be an informed one.

NCUA-CG – FUNDAMENTALS OF COMPUTER SYSTEMS
There are many types of EDP systems that vary in size, speed, cost, complexity and types of operations performed, but all data processing involves at least three basic elements: 1. The input or source data entering the EDP system; 2. The processing of that data; and 3. The product or output from the system. Input consists of any type of data. Input is entered into the computer by use of an input device such as a remote terminal or optical scanner. The input device converts the data from a form that is readable and understandable by people to a form that can be read and understood by the Central Processing Unit (CPU), the computer part of an EDP system. The CPU is the controlling center of the entire system. It contains a control section, an arithmetic/logic unit, and an internal storage unit, also called memory. The control section of the CPU directs and coordinates all the operations of the computer according to the instructions that were previously written for it. While the CPU directs the data and programs, the arithmetic/logic unit adds, subtracts, multiplies, and divides as well as moving, shifting and comparing data at very high speeds. The internal storage unit holds the data for processing and the program instructions. The processing is carried out by means of a pre-established sequence of instructions performed automatically by the computer. The entire sequence of instructions required to perform a function is called a program. Computer programs are written by people. Often the main storage unit has insufficient capacity for data that a program uses, so secondary or auxiliary storage devices are needed for additional storage.

The most common auxiliary storage devices are magnetic tape units, and disk storage units. By sorting, classifying, calculating, and comparing, the computer determines results. These results are called output. Output is data that has been processed. It may be in a form that people can understand such as a printed report, or it may be retained in the computer in machine-readable form to be used for further processing or retrieval later. An output device such as a printer or Video Display Terminal (VDT) displays output in readable form. Output reports common to most credit unions include Trial Balance of Members’ Shares and Loans, Daily Transaction Register, New Loan Report, Delinquent Loan Report, Paid Loan Report, Closed Share Account Report, Dividend Report, and Supervisory Override Report. The input devices, CPU, output devices and auxiliary storage units make up the computer hardware. The programs are the software. The EDP audit includes a review of equipment controls to appraise the reliability of the hardware. These controls are built into the computer by the manufacturer. Program controls are designed to assure the reliability and accuracy of the data processing. The program controls are written into the computer programs and errors in programs either stop the processing or are printed out in error reports. EDP equipment is highly reliable and accurate. Output errors usually result from input or program errors.

NCUA-CG – TYPES OF COMPUTER SYSTEMS
The EDP systems in credit unions are either On-Line-Real-Time (OLRT) or batch, in-house or service bureau. In a batch system, source documents (cash received vouchers, checks, journal vouchers, etc.) of transactions are collected and processed on a periodic basis, usually daily. An OLRT system is one where the transactions are entered directly through an input device into the computer and the computer is fast enough to process the data and return a response in time to affect the outcome of the service or process. In an OLRT system, the recording of transactions causes instantaneous updating of all relevant files. These systems allow a teller at any credit union branch to update a member’s account immediately by recording share deposits or withdrawals on a computer terminal. Many credit unions are purchasing or leasing computer hardware and software packages, thus, they have their computers in-house. While large credit unions dealing with a variety of services and many transactions continue to acquire in-house computers, the advent of mini computers and the availability of suitable software packages has made it possible for smaller credit unions to own their computers. A mini computer is a small, relatively low cost machine with internal components much like full size computers. While they are usually smaller and slower than the large computers, they are also easier to install, operate, and maintain. Most credit unions use outside EDP service bureaus rather than owning their own computers. These outside service bureaus provide data processing services to credit unions who generally do not do enough data processing to justify having their own computers. The data that is input through a terminal at the credit union is transmitted to the computer at the service bureau, usually by telephone, where it is processed. The reports are then sent from the outside service bureau to the credit union, again, usually by telephone.

NCUA-CG – AUDIT TRAILS
In a manual record system, an audit trail of hard copy documentation links individual transactions with figures on the financial statements. In a computerized system, however, records can be updated with no visible evidence of a change being made. For this reason, hard copy audit trails are necessary to provide management with information necessary to direct and control the operation of the credit union, to permit file reconstruction in the even

t of processing errors or co
mputer failure and to accommodate the needs of independent auditors and National Credit Union Administration examiners. Elimination of the batch system poses several problems for the auditors. Original source documents may not be available to support input to the computer and the overall amount of hard copy included in the audit trail may be reduced. To provide an adequate audit trail in an OLRT system, account balances must be periodically printed. Daily transactions must also be printed. The board of directors must have implemented written policies that prevent unauthorized use of terminals and assure that terminals are in use only during regular processing hours. Plans to permit continuation of operations during computer “down time” must also be written and operational.

NCUA-CG – INTERNAL CONTROLS
Regardless of the type of EDP system used by the credit union, the auditors must study and evaluate the internal control surrounding that system. This includes reviewing internal controls and writing a description of the EDP system, testing the credit union’s compliance to the controls to determine that the controls are functioning as intended, and evaluating the EDP system to determine the degree of reliance on the internal controls. Obviously, however, an in-house system would require more extensive testing than other types. A computer that is properly programmed does not conceal its errors. Therefore, “incompatible” functions in a manual record system may be acceptable in an EDP department without weakening internal controls. With EDP, however, data files can be changed without leaving any visible evidence of the change. For this reason, separation of duties, clearly defined responsibilities, and proper documentation describing the system processing are essential. The organization of the credit union’s staff should prevent staff members from having unauthorized access to EDP equipment, programs, or data files. System development, EDP operations, and user functions should be separated. As a minimum, the function of computer programmer should be separated from that of computer operator. If one person is permitted to perform both duties, internal control is weakened and the opportunity exists for possible fraudulent actions. As the size of the EDP staff increases, an EDP librarian, data processing manager, and systems analyst may be added depending upon the needs of the credit union and the EDP department.

Many credit unions do not have a large enough staff to allow for ideal separation of duties. In such cases, there should be compensating controls such as active managerial review of the EDP operations. Security for data files and equipment is essential. All magnetic tape and disk storage files must be properly identified by labels and stored in a secure location. Authorized persons using these files should sign a log to assign responsibility for the files when they are used. If the credit union’s EDP department is large enough to employ an EDP librarian, that person is custodian for data files and maintains the log. Proper backup of data files is also necessary to enable the credit union to reconstruct accounts if data files are lost or damaged. These backup files should be stored at an off-site location. The physical environment of the computer facility should have safeguards against fire and water damage. The facility should have no windows, be temperature and humidity controlled and the entrances to the computer room should be controlled by locks that allow only authorized persons access to the computer. During the audit, the physical controls must be reviewed, tested, and evaluated. Computer service bureaus strengthen internal control because they provide more segregation of duties. The auditor has the responsibility to evaluate the controls of the service bureau. Because a service bureau often performs EDP processing for a large number of credit unions, it would be impractical, if not impossible for the service bureau to allow an audit from every credit union client. For this reason, a service bureau contracts with independent computer experts to perform a review of the service bureau’s control procedures. The report, a third party review, is then made available, by request, to the auditors of the service bureau’s credit union customers in order that they may evaluate the controls inside and surrounding the computer and thus satisfy themselves that the computer can be relied on to preserve the integrity and accuracy of the credit union’s data and reports.

The third party review will contain background information about the service bureau and type of computer, as well as a description of the computer equipment, operating policies and procedures and control procedures. The credit union’s auditor will use the third party review report to determine the adequacy of the program or processing controls and of the general internal controls of the EDP system. Processing controls are operational requirements and policies designed to prevent human errors from occurring either before or after data is processed. One example of a processing control would be a service bureau policy preventing service bureau personnel from changing the data submitted by a credit union.

The general control procedures for a computer record system includes accuracy of the system, proper segregation of duties by service bureau employees, safety and security of the EDP facility including security designed to prevent unauthorized access to the system, properly documented computer manuals, duplication of programs and data files stored off site, as well as alternative plans in case of loss of processing capabilities at the computer center. The credit union’s auditor must review, in addition to the third party review report, user controls affecting the computer operation such as input and output controls. Input controls provide assurance that the data to be input into the computer are properly authorized and are accurate and complete when entered. For example, access to a terminal must be restricted to staff members who have been authorized to initiate transactions. Such access is often in the form of a “secret password”. Output controls assure the accuracy and reliability of the output reports, in this case, those received from the service bureau, and that output is distributed only to authorized personnel. For example, the exception report should be distributed to and regularly reviewed by supervisory personnel. In addition, the controls surrounding the physical safety of the terminals in the credit union must be reviewed along with contingent plans in case the computer is “down” for a prolonged period of time. An in-house computer system may require the supervisory committee to hire auditors qualified to audit the total EDP system if there is no expertise on the committee to perform such an audit.

This includes the portion of the audit done for the third party review when a service bureau is used. CPA firms or auditors with strong EDP auditing qualifications should be sought out and interviewed concerning their experience in auditing in-house EDP system. The audit of the EDP system will include a review of the internal controls surrounding the input data, output reports, and the processing of the data. Tests of compliance will be performed to provide reasonable assurance that the internal controls described in the audit work papers are used as planned. The auditors will conduct the study and evaluation of internal controls to provide a basis for determining the extent to which the credit union’s internal controls can be relied upon, which in turn, provides the basis for the auditor’s recommendations to the credit union for improving the system. This review of internal controls surrounding the EDP system will be performed with the use of flowcharts, questionnaires, doc

Documentation, and review of run manuals and by observing the credit union’s operations. The auditors must conduct tests of compliance before making their final evaluation of internal controls. Methods commonly used in compliance testing depend upon the type of EDP system being audited. They include auditing “around the computer”, use of test decks, controlled programs, and generalized software packages. The extent of the reliance on internal control determines the extent of the testing necessary for the auditors to express an opinion as to the fairness of the financial statements.

NCUA-CG – ON-GOING REVIEW OF INTERNAL CONTROLS
The supervisory committee has the responsibility to ensure that internal controls are in place and operating as planned throughout the year. New loans selected from the New Loan Report may be verified by either telephone or mail. Testing the accuracy of the delinquent loan listing prepared by the credit union staff can be accomplished by periodically comparing it to the computerized Delinquent Loan Report. The report of Master File Changes should be tested for accuracy by tracing items listed to source documents. The Closed Share Account Report should be used for the verification of closed accounts required of the supervisory committee. In addition, the supervisory committee can verify that access to the computer system is limited to authorized persons by comparing the passwords used to access the computer with those authorized by management. They can assure that passwords are changed periodically, particularly when there is a turnover of a staff member who had access to the computer. The controls assuring the proper backup of computer records and off-site storage should be reviewed periodically to determine that they are regularly being followed. Physical controls such as locking the computer room doors, permitting only authorized staff access to the computer room, as well as proper off-site storage of necessary data files, and records should be periodically tested throughout the year.

NCUA-CG – CONFIDENTIAL RECORD OF MEMBERS’ ACCOUNTS
It is possible for the supervisory committee to have the computer system produce the confidential record of members’ accounts discussed in Section IX. To enable the committee to independently control the correctness of computerized listings for this purpose, when the first computerized listing of the accounts is received, it should be reconciled with the older confidential listing the committee has been manually maintaining to assure that the first computerized listing includes all accounts. When a subsequent listing is received from the computer, it should be reconciled with the previous listing to determine that the new accounts are shown on the newer listing, but not included on the older listing and that closed accounts are not shown on the newer listing. The results of this comparison would then need to be traced to the monthly listings of new and closed accounts to assure the committee of the correctness of the latest listing.

This type of reconciliation would need to be made each time an updated confidential listing is furnished by the computer system. Additional time can be saved if the committee can arrange to have the computer compare the old and the new lists electronically and provide a printout of the differences in the two lists. Another acceptable procedure is based upon assurance by the processor that accounts cannot be opened or closed without being reported on the list of new members and those who have withdrawn. After the committee determines that the accounts carried on its manually maintained confidential listing have been entered into the computer, it determines each month upon the receipt of the list of new members that the accounts of all new members (as determined from the membership officer(s) reports) are in the system. At the end of each quarter, the committee requests that all statements of closed accounts that appear on the lists of members who have withdrawn be provided. The committee then checks the statements to the lists and mails out the statements to verify those accounts. The trial balance should then represent an accurate record of members’ accounts. All lists of new members and those who have withdrawn must be retained.

NCUA-CG – VERIFICATION OF MEMBERS’ ACCOUNTS

The supervisory committee can save substantial time and effort by using the capability of the data processing facility in conducting its account verification program discussed in Section IX. 1. The trial balance listing of accounts, needed for the committee’s control of account verifications, can be produced by the data processing facility with balances as of the effective date the committee is confirming balances. 2. The committee can arrange for the processing facility to deliver the quarterly printout of members’ statements directly to the committee to be used for account verification purposes if the committee confirms balances as of the end of a quarterly period. Arrangements can also be made for a printout statement as of any other date within the quarter that the committee may choose to use as the effective date of verification. 3. Arrangements can be made to have the data processing facility print on the members’ statements, or on inserts to be mailed or distributed with the statements, any message the committee wishes to include to call the attention of the member to the statement being used to confirm his account balances. 4. When all of the members’ accounts are verified, the committee must retain the trial balance for that month as a record of the accounts verified. 5. With appropriate programming, arrangements can be made to have the computer printout confirmation requests because of criteria selected by the supervisory committee. Examples of such criteria might be inactive accounts, highly active accounts with a recent period of inactivity, accounts with large balances, accounts with delinquent loans, etc. The criteria that can be selected from time to time is limited only by the capacity of the computer equipment being used and the feasibility of writing the program to accomplish the selection and printout. 6. By using multi-part forms on the computer, a single printing can prepare a positive confirmation request set which could include the first request, a mailing envelope, a return envelope, a control copy for the committee, and a second request, should it be needed. 7. Many computer systems have the capability to do random statistical sampling, which can be used in the verification of members’ accounts as, discussed in Section IX.

www.bestitdocuments.com