c


 
by  
01 Oct 1998

This article is the third in a series of four, covering the most commonly examined subjects in
paper 6. In the August edition of the „
 ½  
, we looked at the audit of
inventories. This month, we look at auditing in a Computer Information Systems (CIS)
environment.

Auditing in a CIS environment is, of course, the rule rather than the exception. The paper 6
examiner states that students should assume that accounting systems in exam questions are
computerised. Auditors all over the world now use computers to a greater or lesser extent, and
the proportion of their clients without a single PC must be very small . So once again, the
subject is important in practice as well as in theory.

There is a substantial body of guidance in this area which includes the following ISAs
(International Standards on Auditing) and IAPSs (International Auditing Practice Statements):

(i) ISA 401, A
i ii 



 i„ i
 ;

(ii) ISA 402, A
i  i

 i  i  i ii„
ic
i i;

(iii)IAPS 1001, „i

 ½„ A ic
c

;

(i) IAPS 1002, „i

 ½i 

„ ;

() IAPS 1003, „i

 ½ ;

(i) IAPS 1008, „i

 ½iA  
  
 ½ „

c 
i ic i
 i;

(ii)IAPS 1009, „i

 ½ 

Ai A
i  ciq
.

Much of the IAPSs are taken up with descriptions of the various types of system and the issues
involved in auditing them. This article will take a rather more practical approach to exam
questions, as in previous articles. Don½t worry about this area if you are not particularly
computer literate, the examiner does not expect you to have any specialist knowledge and you
can answer questions perfectly well with very little practical experience. Remember that there is
some crossover with the paper 5 syllabus here and you get double benefit from studying the
area!

There are four basic types of question that come up in the exam:
j
c ½ what are the particular features and risks involved in auditing in a CIS environment?

j
 ½ what CIS controls would you expect to find in this particular area?

j
 ½ how do auditors use computers in performing audits?

j
 ½ how would you use CAATS (Computer½Assisted Audit Techniques) in this area?

The area covered by ISA 402 is one that has not been examined frequently in the past, and it is
unlikely to form the subject matter of a full question.

jc 

Type A questions deal with the features and risks involved in auditing in a CIS environment.
The IAPSs noted above deal with the features and risks of different types of system, but there
are elements common to them all. A typical Type A question might read as follows:

j



 

  

 
 
 
  

    

  

 
   



The suggested answer that follows is split into two parts. Part (a) deals with general CIS factors
which would be applicable to many different types of system. Part (b) deals with the effect of
the change in the system on audit planning.

j
pp
(
pp
(i)p
p
p

 pp

p
p

 pp
p pp p p p


pp p
p p p  ppp



p

 p

 
pp

p  
p

p  p p

 pp
pp p
p

p

(ii)p
 
p
p
p


 p p  p pp
pp
p

p
 p
pp p p

pp pp
pp p
  
pp
p
pp
p pp p p
p
pp

p
ppp p p
pp p pp p



p
p p

 p p  p p

 p
 p  p
  
p  p p

 p  p p
pp
p
p pp

 p
p 
p p
p



pp p pp p
p p p p p


pp p

p
 p

(iii)p p
p p
p  p p


 pp
p

p pp
 p pp  p pp p

p
p pppp p
 p p p


p pp
p
 p
pp pp
 p pp p
p
p p


p p  p
ppp ppppp

(iv)p
  p p  
pp


pp p
p
p p  
p
p
 p
p
p 
p ppp 
p  p
 p 
  pp p
p 
 
p p

 
p pp p  p pp p p
  
p p pp p

(v)p p
p
p
 
p p p pp


p
p
p
p p pp


p 
 
p
p 
p
p  
p

pp


p


 p pp

pp 

p
p pp p
 p p p p p
p

p ppp
p p

p
p p
  
p

p

(vi)p
 p

p


 p

p p p
pp p
pp


pppp
ppp  pp p 
pp p
 p p pp

p p

 p
p
p

(vii)X p
p
 p p

p  p
p
pp

p p ppp
 p
p
p


p p p
p

(viii)p
p
 p
p p


pp

 pp
p ppp

p  pp p p 
p
 pp   p
p

(b  


p

(i)p
pp p

pppp
pp p pp p
 p

(ii)pp 
p

p 
ppp p p
p pp



p

p 
pp
pp pp
ppp
pp
p

 p
ppp
p

p
 pp pp


 ppp

 
p p
p
p
p

pp p

p p
p
p p

p
p
ppp
pp
p
ppp
p

p p ! p p p pp p!pp 
½p
  p

(iii)p pp 
p

p 
ppp
p
p p pppp


pp p p


p
p pp pp

p
 ppp p
pp pp
pp
½½p

p
pp p pp
p
p p

 
p p
pp ppp
 pp pp


p
pp
pp
pp
p pp

j  Type B questions are probably the commonest. They require you either to
set out what controls you would expect to see in a particular area, or, they ask you to explain the
weaknesses in a given situation. We dealt with the approach to exam questions, and controls
generally, in a previous article. Here, we will simply revise the basic types of computer control,
in order to familiarise ourselves with the terminology.

We saw in the previous article, that the c

 i
 is assessed alongside specific
c
 
c

. In the context of computers, we deal with 
  „c
  and „
 ic ic
 . Note that not all computer controls are necessarily computerised!

(

pp
p


p
p p p

pp
p p p  
p
p

 p

p" p p

p p p p½ ½p
p
p

 
p

p# p p ppp

p

$pp
ppp%&&'pp p p

p
 p

p
ppp

p
p pp
p p p


p p
p p p
p
p p!
ppp  (p

(i)pp

pppp
pp


p
p


p
p
 p p
 p p

p
)

*p p 
p
p 
p p p
pp
 p  p
ppp
p

 p

p

pp
p 
p p p

pp

 p  p
p
p p 
p
pppp
p p ppp p
p
p p
pp  p
p

p p
pp p
p
p 
p
p

(ii)p+

p p  p

p
p
p p

 pp
p
 
pp
p
p p

pp  p



p p p
ppp


p p  p  p
p  p
p
p

(iii)p# p,p
p)#,*pp p
pp
p



 p

 p p  p p
p

p p p p

p

p  p p

(iv)ppp
p  p
 pp
p
p

p

 ppp
p
- 
p
 p p
 p
p p
p
 p p
p
pp
pp 
 ppp
p
p


p
p  p
p p
p 

p

p p
p

pp  p pp
p
 p

(v)pp

p

pp ppp
p


p


 p  p!  p


 pp p


p

p p p p
pp pp
p
p
p p
pp p
p


p

pp p


p

ppp
p p p  pp
p

p pp p

 p
p p
p pp
p p#p p p
p

p p
-
 p
p p
 p

 
pp


ppp p p
p.
p
p
p p p p

p

p


pp  p
p p

 
p

p

(b

 



p

p


p
p p

 
p

pp
p


p  p
 p p  
p p 
p
p p

p


p  p p
p pp p pp p

p
p 
p
p
 p

p

p


p ppp


p
p
p p


p
p 
pp  p
p
p

p


p
 p p p
$pp

pp  pp
p
  (p

(i)p/ p p p
 p pp
ppp


p
p  p
p
p0 p
 p p pp
 ppp 
p
p p

pp
p p

p
p

p
p
p p p
p
p

(ii)p!pp p
p
ppp



p
p
p pp p p p
 p p
p
p
p pp

p p

(iii)p  p)
p½ 
 ½*ppp p

 pp p
p p  
pp
p
 p
pp
p
p
p ppp 
p1p

(iv)p pp ppp p

 p
pp


pp p p
pp p p ppp

 
p

p p   p
 p)p p
p%%*p ppp

pp pp p½ ½p p
pppp p
p
p pp
p
p pp
 pp

p p

ppppp  p p p 

p

p


p pp pp pp
p  p

(v)pp


p)½
p
p p p
p!2p3½*p
p

p p
p
p
p
p

(vi)p+ ppp pp
p

p
p
 

p
pppp
p p  
p p  p
 p
pp  p

(vii)p
pp
pp p
p
p
pp
  
pppp
pp 
pp pp
p p p
p  pp
p 
pp p p
p

p

(viii)p
 
p

p p
p  p p


p
p p p
p
pp
p
p p p
  p  
p

j
 

Type C questions (how do auditors use computers in performing audits?), are not really dealt
with in the ISAs or IAPSs noted above. You can rely on your experience here if you use
computers on a day-to-day basis, and if you do not, remember that anything that can be done
with a pen and paper, can probably be done with a computer! Type D questions (how would you
use CAATS in this area?) are covered by their own IAPS, and unless you work in a specialist
computer audit department, you are unlikely to have any significant experience of their use.

Consider the following question taken from the June 1997 paper:

j
 !
p

p
p
p
p
p p
p  p 
pp



p p

 p
 p)p


*p
pp   p
p p0pp  p p
p
p p
 p
p
p p p p   ppp
 p p p p pp
p
pp½p

p

pp
p
ppp
p

p4p p

p5pp
p
p
 p p
p
pp p
 p
ppp
p pp p
p

p

p  p ppp p p

 
p
p ½p


p p
(p

(p
 6p

(bp  p
 6p

(pp

- p p!p) *p
pp

p

pp p

p
p p
pp

6p

(p
p

p p p
 p
p
p p
p

.
p p p

ppp p p

pp

p
p
pp 
p
 
ppp p p
p
p
p  pp
p
ppp
p pp
p

p

·
 
 

 




  
 

 

  

"
 
·

 

(
(b
# 
 


 #(20p

To get maximum marks for a question like this, you need to use a proper memorandum format,
as in the suggested answer below. Every firm has a different layout for memos, so the precise
format is not important. There can be anything up to four marks allocated to style and
presentation in a 20 mark question such as this.

j
 !p

 
$!%p


(pp p


(p7pp

8 (p%9pp%:;'p

$(pp

 
p pp
p p

p
 p
ppp
p p

 
p
p p

pp

p (p

(p
 p

(bp  p
 p

(p
p


p

(p p

(p
 p
 
p

(
 


 p p½½p p
p  p

pp

p p p½½p p pp

 pp

 pp
p
p  p p  p!p p
 pp
pp
p  p p pp

 p
p
p  p

p


 p ppppp

p  (p

(i)p
p

 
p

"

p! p
p  p 
p

 
p

 p p
p   p p p p
p p 
pp
 p
pp
p p

 
p
 p p
p
p p
 p p

(ii)p 
pp

p ½p p!p p

 p pp

p
p
 p p p p pp
p p
pp p
 p

(iii)p  p

p

  p

p p
pp  
p
pp 
p
p
p 

p pp pp pp

 p8  pp 
p
p   p

 p p


p ppp
p



pp!p p p
pp
p
 p  p
p
 pp
p p p
p p

(b  
p

p
p
p
 pp
 p ppp

 
p
p
 
p

p  p p
p 
(p

(i)pppp
pp
pppp

 p
p
p p  p!6p

(ii)pppp
pp p 
p
p p p
p
p


 p 6p

)*p
p p
p
p p  i
ppp
 i
p p p
p

p
 p pp p
pp p pp



p  p p

p p  p 
p pp
p pp pp
 pppp  p
p
p


pp
p


 p$p p pppp
p p
pp
p
p pp pp


ppp

p

 pp 
½p p pp
p
pp½p p
p

p

pppppp
pp
p
p  p
 p
p


 
p 
pp 
p p p pp p
p pp 
pp½ppp p
p p

 pp p
p p

(&


 p

<
p

pppp 
p p  p
pp pppp

pp
p


p
p

p pp
p p
p
p
 
ppppp
p

p p
p
ppppp
p pp

p p
p
 p p- p p pppp


 p
 pp 
p

pp p p 
p
 pp
 p ppp
p pp
 p
p
p p

p pp
ppp
pp


  pp ppp
p

p p

 p p

 p
 
p
 p
p

p pp
p 
p p
pp p
 
p
ppp
! p 
p p


p
p
 pp pp

p
pppp
p

p p p
pp p

!p
pp
 p
p

(jp

p p
p   p p  p

 pp p
 pp
pp
p pp pp p p

pp p
p
p ppp
pp p
p p!p p
p  p p

 p!p
p pp
p pp
pp
-

 
p
pp
p p


p p
ppp

p p
p p 
p
p (p

(i)pp!
 p

p
 pp
 pp
p p

p p
  pp

p
pp 
½p

 pp


 p p
p 
(p

ipp 
6p

2ppp p p
p p  
p p  p

p6p

Dp

p
p-

pp p
p p6p

upp 
p
p pp

p  p pp

pp 
pp½pp
p

-
p
pp 
½pp,
pppp

 
pp 
p pppp
p
 pp

ppp½+p p ½p

p
p p
 p p ppp
pp½p
p
p
pp pp p

p
p pp p p
 p p

(ii)pp  p

p  pp 
p p  p ppp

 p
p
p

pp 
ppp p

p
pp
pp 
p
p p 
pp
pp
pp

p
p

p p  p
p 
p 
p


p

p p
pp pppp p

p
p pp

p  
p  
pp
 
p
p  
p
p

 p
 p
p  
pp
- p
p
p

p½p p
p

p ppppp
pp ppp


p
$p p  
p

p  p pppppp
p



p
pp
  p½ pp ½pppp 
pp
p

p
pp pp 
pp p
ppp
p

-p

p
p 
pp 
p p

p p p

p
pp½p
½p 
p
pp pp0p

p

p pp p pp
p
ppp
p
p

ppp½pp p p
p
p

( 
 
p

p
p
ppp pp 
 p
 p

 p p p  ppp  p
 pp p
p p
p p p p p

 p p
 pp p
p p p p!p

 

Auditing in a CIS environment is a wide area, but it is examined at a fairly basic level.
Familiarise yourself with the terminology and your paper 5 studies will also benefit.

The next and last article in this series will deal with the verification of balance sheet items.
p



  


p