Auditing in A Computer Information Systems (CIS) Environment
Auditing in A Computer Information Systems (CIS) Environment
Auditing in A Computer Information Systems (CIS) Environment
Introduction
Auditors will audit around the computer by reviewing and examining source documents or input and checking the
final output based on those documents. As computer systems became more fully integrated and the volume of
transactions increased, it became increasingly difficult to audit around the computer because much of the audit trial
was lost within the computer. Then the auditor investigates the data processing system by feeding the computer
with hypothetical transactions covering all the types of situations in which the auditor is instructed and ascertaining
the answers produced are correct and wrong data are rejected. If the system is satisfactorily controlled, the auditor
relies upon the system and infers that the financial accounting information processed by the system is correct. This
indicates that the audit procedures have changed to adapt to the increasing computer environment.
Auditing in a CIS environment, the auditor focuses upon the adequacy of controls over transactions, not upon the
transactions themselves, as in manual systems.
The auditor should have sufficient knowledge of the CIS to plan, direct, supervise and review the work performed.
The auditor should consider whether specialized CIS skills are needed in an audit. These may be needed to:
obtain a sufficient understanding of the accounting and internal control systems affected by the CIS
environment.
determine the effect of the CIS environment on the assessment of overall risk and of risk at the account
balance and class of transactions level.
design and perform appropriate tests of control and substantive procedures.
If specialized skills are needed, the auditor would seek the assistance of a professional possessing such skills, who
may be either on the auditor's staff or an outside professional. If the use of such professional is planned, the auditor
should obtain sufficient appropriate audit evidence that such work is adequate for the purposes of the audit, in
accordance with PSA 620, "Using the Work of an Expert."
Planning
In accordance with PSA 315 (Redrafted), "Identifying and Assessing the Risk of Material Misstatements Through
Understanding the Entity and Its Environment," the auditor should obtain an understanding of the accounting and
internal control systems sufficient to plan the audit and develop an effective audit approach.
In planning the portions of the audit which may be affected by the client's CIS environment, the auditor should
obtain an understanding of the significance and complexity of the CIS activities and the availability of data for use in
the audit.
1. The significance and complexity of computer processing in each significant accounting application.
Significance relates to materiality of the financial statement assertions affected by the computer processing.
An application may be considered to be complex when, for example:
the volume of transactions is such that users would find it difficult to identify and correct errors in
processing.
the computer automatically generates material transactions or entries directly to another application.
transactions are exchanged electronically with other organizations (as in Electronic Data Interchange
(EDI) Systems) without manual Review
2. The organization structure of the client's CIS activities and the extent of concentration or distribution of
computer processing throughout the entity, particularly as they may affect segregation of duties
3. The availability of data. Source documents, certain computer files, and other evidential matter that may be
required by the auditor may exist for only a short period or only in machine-readable form. Client CIS may
generate internal reporting that may be useful in performing substantive tests. The potential for use of
computer-assisted audit techniques may permit increased efficiency in the performance of audit procedures,
or may enable the auditor to economically apply certain procedures to an entire population of accounts or
transactions.
When the CIS are significant, the auditor should also obtain an understanding of the CIS environment and whether it
may influence the assessment of inherent and control risks. The nature of the risks and the internal control
characteristics in CIS environments include the following:
1. Lack of transaction trails
Some CIS are designed so that a complete transaction trail that is useful for audit purposes might exist for
only a short period of time or only in computer readable form. Where a complex application system
performs a large number of processing steps, there may not be a complete trail. Accordingly errors
embedded in an application's program logic may be difficult to detect on a timely basis by manual
procedures.
In addition, decreased in human involvement in handling transactions processed by CIS can reduce the potential for
observing errors and irregularities. Errors or irregularities occurring during the design or modification of application
programs or systems software can remain undetected for long periods of time.
1. Initiation or execution of transactions
CIS may include the capability to initiate or cause the execution of certain types of transactions,
automatically. The authorization of these transactions or procedures may not be documented in the same
way as those in a manual system, and management's authorization of these transactions may be implicit in
its acceptance of the design of the CIS and subsequent modification.
5. Both the risks and the controls introduced as a result of these characteristics of CIS have potential impact on
the auditor's assessment of risk, and the nature, timing and extent of audit procedures.
Assessment of Risk
The inherent risks and control risks in a CIS environment may have both a pervasive effect and an account-specific
effect on the likelihood of material misstatements, as follows:
The risk may result from deficiencies in pervasive CIS activities such as program development and
maintenance, systems software support, operations, physical CIS security, and control over access to
networks, operating systems, programming and databases. These deficiencies would tend to have a
pervasive impact on all application systems that are processed on the computer.
The risks may increase the potential for errors or fraudulent activities in specific applications, in specific
databases or master files, or in specific processing activities. For example, errors are not uncommon in
systems that perform complex logic or calculations, or that must deal with many different exception
conditions. Systems that control cash disbursements or other liquid assets are susceptible to fraudulent
actions by users or by CIS personnel.
As new CIS technologies emerge, they are frequently employed by clients to build increasingly complex
computer systems that may include internal / external / intranet technologies, distributed data bases, end -user
processing, and business management systems that feed information directly into the accounting systems. Such
systems increase the overall sophistication of CIS and the complexity of the specific applications that they affect.
As a result, they may increase risk and require further consideration.
Because of the speed of the computers these tests can sometimes be performed for an entire file rather
than for only a sample of transactions. Many auditors have generalized computer audit packages which
will run on most computers and perform many audit tasks.