MODULE 1: AUDITING IN CIS ENVIRONMENT

ACC531

computer, its peripherals, other programs and sets of data to be used and the operator
AN OVERVIEW OF THE CIS ENVIRONMENT himself. The system software also translates programming languages.
i. Operating system – a set of highly complex set of programs designed to
serve as a means of communication between the computer and hardware
DATA PROCESSING – refers to the operations needed to collect and transform data into useful
and human operator; schedule, load, initiate and supervise the execution of
information. The equipment and procedures used through which the result is achieved constitute a data
programs; initiate and control input and output operations; and manage and
processing system. Data processing involves the basic operations of classifying, sorting, calculating,
control compilers and utility programs.
summarizing, recording, storing and communicating.
ii. Utility programs – a program or group of programs designed to perform
a. Manual data processing – the operations in the process are performed by hands, using pen or
commonly encountered data handling functions such as sorting files and
pencil.
copying data from one file to another.
b. Mechanical data processing – this method utilizes mechanical equipment’s such as office
iii. Compilers and interpreters – compilers are programs that translate high
machines and bookkeeping machines are utilized to increase speed and accuracy.
level languages (source code) into machine language (object code), which
c. Electronic data processing (EDP) – the data are converted into machine readable form and
can be placed into the main storage and executed. Interpreters exactly do
then processed through electronic impulses. The processing of data takes place in a computer at
the opposite of what compilers do.
incredibly high speed and with minimum human intervention.
 Applications software – programs that help the operator use the computer to do
specified tasks or to solve particular processing jobs.
COMPUTER SYSTEM – refers collectively to all the interconnected hardware including the
processors, storage devices, input/output devices and communications equipment.
c. Computer installations – are the facilities where the computer hardware and personnel are
a. Computer hardware – the physical device that comprise a computer system. The principal
located. Computer installations are generally organized into one of the following categories:
hardware component is the central processing unit (CPU) which performs the processing
 In-house or captive computer – the organization owns or leases the equipment and
functions which include the storage of information, arithmetic and logic operations and control.
hires the necessary trained personnel to program, operate and control the various
Additionally, the CPU controls the input and output devices.
applications processed with the equipment.
 Main storage unit – used to temporarily store programs and data for processing.
 Service bureau computer– the computer is used by an independent agency which
 Arithmetic and logic unit – performs the arithmetic tasks (addition, subtraction,
rents computer time and provides programming, key punching and other services.
multiplication and division), comparisons and other types of data transformations.
The user organization pays only for the computer time and other services it uses.
The data and instructions needed for the operation are called from the computer’s
 Time sharing – under this system, the organization acquires a keyboard device
main storage. After the operation, the results are returned to the main storage unit.
capable of transmitting and receiving data and by agreement, the right to use a
 Control unit – regulates the activities of the other devices by retrieving machine
central computer facility. This facility will furnish service to several users at the
language instructions from the main storage units and then interpreting instructions.
same time. The user company does most of its own programming and treats the
 Input devices – prepare and insert data and instructions into the computer after
computer as though the company were the one using it. When the company needs
translating them into computer language. Examples are the keyboards and bar code
service, it accesses the computer facility by means of a communication line, submits
reader.
its user number and password, calls for its files and then begins to process the
 Output devices – translate the processed data back into the language of written words
necessary data.
out of the computer to the accountant or other users. Examples are the monitor and
 Facilities management – falls somewhere between the captive computer and the
printers.
service bureau computer categories. Under this system, the organization needing
computer services may lease or purchase the necessary hardware and install it on its
b. Computer software – the programs, routines and procedures used to direct the functions of a
own premises. Then by negotiation, an outside contractor with the necessary staff of
computer system.
programmers and operators agrees to manage the facility. In some instances, the
 Systems software – operates the computer system and performs routine tasks for the
contractor may own or lease the equipment.
users. It helps the operator use the machine and generates interaction between the
 e. Mesh or double star topology – similar to star topology but with greater redundancy. It offers
STAND-ALONE PERSONAL COMPUTERS the greatest resiliency but most expensive to implement.
f. Client-server architecture – distributes the processing between the user’s (client’s) computer
A personal computer (PC) can be used in various configurations. These includes: and the central file server. Both types of computers are part of the network but each is assigned
a. A stand-alone workstation operated by a single user or a number of users at different times. functions that it best performs. This approach reduces data communications traffic, thus
b. A workstation which is a part of a local area network (LAN) of PCs. reducing queues and increasing response time.
c. A workstation connected to a server.
g. Cloud computing – is an internet based computing whereby shared resources, software and
In a stand-alone PC environment, it may not be practicable or cost-effective for management to information are provided to computers and other devices on demand like the electricity grid. In
implement sufficient controls to reduce risks of undetected error to a minimum level. After obtaining the general, the customers do not own the physical infrastructure, instead avoiding capital
understanding of the accounting system and control environment, the auditor may find it more cost expenditure by renting usage from a third party provider. They consume resources as a service
effective not to make further review of general controls or application controls, but to concentrate audit and pay only for resources that they use.
efforts on substantive audit procedures.

NETWORK ENVIRONMENT

A network environment is a communication system that enables computer users to share computer
equipment, application software, data and voice and video transmissions. A file server is a computer with
an operating system that allows multiple users in a network to access software applications and data files.
Basic type of networks includes:
a. Local area network (LAN) – an arrangement where two or more personal computers are Figure 1 – Forms of Network Topology
linked together through the use of special software and communication lines. A LAN allows
the sharing of resources such as storage facilities and printers. Some devices and peripherals are needed for a network to exist and properly function. Computer
b. Wide area network (WAN) – created to connect two or more geographically separated LANs. networks warrant or may warrant the use:
A WAN typically involves one or more long-distance providers, such as a telephone company a. Network interface cards (NICs) – are circuit boards used to transmit and receive commands
to provide the connections. and messages between a PC and a LAN.
c. Metropolitan area network (MAN) – a type of network that multiple buildings are close b. Modems – a device that modulates and demodulates signals. They are primarily used for
enough to create a campus but the space between the buildings is not under the control of the converting digital signals into quasi-analog signals for transmission over analog
company. communication channels and for reconverting the quasi-analog signals into digital signals.
c. Repeaters – offer the simplest form of interconnectivity. They merely generate or repeat data
A network’s topology pertains to how the various elements of the network are arranged. A network can packets or electric signals between cable segments.
be arranged in various forms as follows: d. Hubs – hubs concentrate connections. In other word, they take a group of hosts and allow the
a. Star topology – a network of computers with a large central computer (the host). The host network to see them as a single unit.
computer has direct connections to smaller computers, typically a desktop or laptop PCs. All e. Bridges – a bridge is a device that connects similar or dissimilar LANs together to form an
communications must go through the host computer, except for local computing. extended LAN. It can also connect LANs and WANs. Bridges are protocol independent
b. Hierarchical or tree topology – a host computer is connected to several levels of subordinate devices and are designed to store and forward frames destined for another LAN.
smaller computers in a master-slave relationship. f. Switches – workgroup switches add more intelligence to data transfer management. They can
c. Ring topology – this configuration eliminates the central site. All nodes in this configuration determine if data should remain on a LAN and transfer data only to the connection that needs
are of equal status (peers). In this arrangement, the responsibility for managing it. Another difference between a bridge and switch is that a switch does not convert data
communications is distributed among the nodes. Common resources that are shared by all transmission formats.
nodes can be centralized and managed by a file server that is also a node. g. Routers – routers have both LAN and WAN interfaces. Routers are the backbone devices of
d. Bus topology – the nodes are all connected to a common cable – the bus. Communications and large intranets and of the internet. They select the best path and switch packets to the proper
file transfers between workstations are controlled by a server. It is generally less costly to interface.
install than a ring topology.
 h. Gateways – used to connect LANs to host computers. Gateways act as translators between a. Database – composed of data which are set up with defined relationships and are organized in
networks using incompatible transport protocols. A gateway is used to interconnect networks a manner that permits many users to use the data in different application programs.
that may have different architectures. b. Database management system (DBMS) – software that creates, maintains and operates the
database. It is a special software system that is programmed to know which data elements each
Processing information in a network can also be done in various ways including: user is authorized to access. The user’s program sends requests for data to the DBMS, which
a. Centralized processing – a system where processing is done at a central location using validates and authorizes access to the database in accordance with the user’s level of authority.
terminals that are attached to a central computer. The computer itself may control all the If the user requests data that he or she is not authorized to access, the request is denied.
peripherals or they may be attached via terminal server.
b. Distributed data processing – a system with several computers that are connected for Database systems are characterized by:
communication and data transmission purposes but where each computer can also process its a. Data sharing – ability of a database to allow multiple users to access information at the same
own data. time.
c. End user computing – a system in which the end user is responsible for the development and b. Data independence – it refers to the immunity of user applications to make changes in the
execution of the computer application that he or she uses. definition and organization of data.

Database processing is dependent on an on-line/real time system.

Generally, internal control in a database environment requires effective controls over the database, the
ON-LINE COMPUTER SYSTEMS DBMS and the applications. User access to the database can be restricted through the use of passwords.
These restrictions apply to individuals, terminal devices and programs.
On-line computer systems are computer systems that enable users to access data and programs directly a. Discretionary access controls – allow users to specify who can access data they own and what
through terminal devices. Types of terminal devices used in on-line systems include: action privileges they have with respect to that data.
a. General purpose terminals – basic keyboard and screen, intelligent terminal, PCs. b. Mandatory access controls – require a database administrator to assign security attributes to
b. Special purpose terminals – point of sale devices and automated teller machines (ATMs). data that cannot be changed by database users. In effect, the users are not permitted to see or
On-line systems allow users to directly initiate various functions such as entering transactions, making update all data in the database.
inquiries, requesting reports, updating master files and conducting e-commerce activities. On-line
computer systems can be classified as follows: STYSTEMS ACQUISITION, DEVELOPMENT AND IMPLEMENTATION
a. On-line/real time processing – individual transactions are entered at terminal devices,
validated, and used to update related computer files immediately. SYSTEMS ANALYSIS AND DESIGN – a systematic approach to identifying problems, opportunities
b. On-line/batch processing – individual transactions are entered at a terminal device, subjected and objectives, analyzing the information flow in organizations and designing computerized information
to certain validation checks and added to a transaction file that contains other transactions systems to solve a problem. New systems are developed or acquired because of the following reasons:
entered during the period. Later, during a subsequent processing cycle, the transaction file may a. To answer a business need.
be validated further and then used to update relevant master file. b. To solve a particular set of problems.
c. On-line/memo update and subsequent processing – combines on-line/real time and on-
line/batch processing. Individual transactions immediately update a memo file containing To satisfy a company’s information processing needs, the company may use proprietary software
information that has been extracted from the most recent version of the master file. Inquiries packages or make use of its own company employees and/or consultants to develop a system (in-house
are made from this memo file. These same transactions are added to a transaction file for development). Fundamental approaches in developing in-house information system are prototyping and
subsequent validation and updating of the master file on a batch basis. pre-specifications.
d. On-line/inquiry processing – restricts users at terminal devices to making inquiries of On-
line downloading/uploading processing – on-line downloading refers to the transfer of data SYSTEMS DEVELOPMENT LIFE CYCLE (SDLC) – a systematic approach to solving business
from a master file to an intelligent terminal device for further processing by a user. problems. The cycle involves a logical sequence of activities used to identify new systems needs and to
develop new systems to support those needs. Each phase in the cycle has unique activities and widely
DATABASE SYSTEMS varies from one organization to another.
a. Feasibility phase – involves systems planning and system evaluation and selection
Database systems have two components, namely:  System planning – aims to link individual system projects or application to the
strategic objectives of the firm.
  System evaluation and selection – an optimization process that seeks to identify the implementation and if certain correcting measures has to be made. Throughout the life of the
best system. system also, a continuing monitoring, evaluation and modification of the system has to be done
i. Perform a detailed feasibility study – should cover the technical, legal, to ensure that objectives are achieved or new needs or problems are addressed.
operational and schedule feasibility of the system.
ii. Perform a cost-benefit analysis – entail the use of capital budgeting The participants in the systems development are:
techniques. a. Systems professionals – are the system analysts, systems engineers and programmers. These
individuals actually build the system.
b. Requirement specification – involves systems analysis and conceptual systems design. b. End users – are those for whom the system is built.
 Systems analysis – involves two-step process involving first a survey of the current c. Stakeholders – are individuals either within or outside the organization who have an interest
system and then an analysis of the user’s needs. in the system but are not end users.
 Conceptual systems design – this stage’s purpose is to produce several alternative d. Accountants and auditors – are the individuals who address the controls, accounting and
conceptual systems that satisfy the system requirements identified during systems auditing issues for systems development. Accountants are involved in the SDLC in three ways
analysis. as users, as members of the development team and as auditors.

c. Systems design – the goal of this phase is to produce a detailed description of the proposed The SDLC process is of interest to accountants and auditors for two reasons:
system that both satisfies the system requirements identified during systems analysis and is in a. The creation of an information system entails significant financial transactions.
accordance with the conceptual design. In this phase, all components are meticulously b. The quality of accounting information rests directly on the SDLC activities that produce
specified. After completing this phase, the development team usually performs a system design accounting information systems.
walkthrough to ensure that the design is free from conceptual errors that could become
programmed into the final system. INTRODUCTION TO CIS AUDIT
d. Systems development and programming – programs are written to create the software
necessary to make the information system operational. This phase includes the following A CIS environment exists when a computer of any type or size is involved in the processing by the entity
activities: of financial information of significance to the audit; whether the computer is operated by the entity or by
 System specifications review. a third party.
 Program identification and description.
 Program coding. The overall objective and scope of an audit does not change in a CIS environment. However, a CIS
 Testing the application software. environment may affect:
 Documentation. a. The procedures followed in obtaining a sufficient understanding of the accounting and internal
control systems.
e. Systems conversion and implementation – database structures are created and populated with b. The consideration of inherent and control risk.
data, equipment is purchased and installed, employees trained, the system is documented and c. The design and performance of tests of controls and substantive procedures.
the new system is installed. Common approaches to systems conversion:
 Parallel conversion – operates the old and new system simultaneously. In this regard, the auditor should have sufficient knowledge of the CIS to plan, direct and review the
 Direct conversion – involves immediate conversion to the new system throughout work performed. If specialized skills are needed, the auditor would seek the assistance of a professional
the organization. possessing such skills, who may be either on the auditor’s staff or an outside professional.
 Phased conversion – the information system is implemented one module at a time by
either parallel or direct conversion. In planning the portions of the audit which may be affected by the client’s CIS environment, the auditor
 Pilot conversion – the new system is implemented by parallel, direct or phased should obtain an understanding of the significance and complexity of the CIS activities and the
conversion as a pilot system in only one of the several areas for which it is targeted. availability of data for use in the audit. When the CIS environment is significant, the auditor should also
 Prototype conversion – involves developing and putting into operation successively obtain an understanding of the CIS environment and whether it may influence the assessment of inherent
more refined versions of the system until sufficient information is obtained to and control risks.
produce a satisfactory design.

f. Post-implementation review and system maintenance – after implementing the system, a

critical examination of the system must be made so as to check on the progress of the
The auditor should consider the CIS environment in designing audit procedures to reduce the audit risk d. Ease of access to data and computer programs – data and computer programs may be
to an acceptably low level. The auditor can use either manual audit procedures or computer assisted audit accessed and altered at the computer or through the use of computer equipment at remote
techniques (CAATs) or a combination of both to obtain sufficient evidential matter. locations. Therefore, in the absence of appropriate controls, there is an increased potential for
unauthorized access to, an alteration of, data and programs by persons inside or outside the
An audit in a CIS environment is generally divided into three phases: entity.
a. Audit planning – this phase consists of both short-term planning and long-term planning and
has risk analysis as one of its major part. DESIGN AND PROCEDURAL ASPECTS – the development of CIS will generally result in design
 Short-term planning – takes into account audit issues that will be covered during the and procedural characteristics that are different from those found in manual systems. These different
year. Long-term planning – relates to audit plans that will take into account risk- design and procedural aspects of CIS include:
related issues regarding changes in the organization’s IT strategic direction that will a. Consistency of performance – CIS perform functions exactly as programmed and are
affect the organization’s IT environment. potentially more reliable than manual systems, provided that all transaction types and
 Risk analysis – helps identify risks and vulnerabilities so the auditor can determine conditions that could occur are anticipated and incorporated into the system. On the other hand,
the controls needed to mitigate those risks. The auditor is often focused toward high- a computer program that is not correctly programmed and tested may consistently process
risk issues associated with confidentiality, availability or integrity of sensitive and transactions or other data erroneously.
critical information and the underlying information systems and processes that b. Programmed control procedures – the nature of computer processing allows the design of
generate, store and manipulate such information. internal control procedures in computer programs.
b. Test of controls or compliance testing – to determine whether adequate internal controls are c. Single transaction update of multiple or data-based computer files – a single input to the
in place and functioning properly. accounting system may automatically update all records associated with the transaction.
c. Substantive testing – can be performed either with or without the use of computers. Also, the d. Systems generated transactions – certain transactions may be initiated by the CIS itself
auditor must consider that in a CIS environment, the information needed to perform without the need for an input document.
substantive tests is contained in data files that often must be extracted using computer assisted e. Vulnerability of data and program storage media – large volumes of data and the computer
audit tools and techniques (CAATs) software. programs used to process such data may be stored on portable or fixed storage media, such as
magnetic disks and tapes. These media are vulnerable to theft, loss or intentional or accidental
CHARACTERISTICS AND CONSIDERATIONS IN A CIS ENVIRONMENT destruction.

ORGANIZATIONAL STRUCTURE – characteristics of a CIS organizational structure includes: INTERNAL CONTROL IN A CIS ENVIRONMENT – GENERAL CONTROLS
a. Concentration of function and knowledge – although most systems employing CIS methods
will include certain manual operations, generally, the number of persons involved in the GENERAL CIS CONTROLS – relate to all EDP applications and are implemented to establish a
processing of financial information is significantly reduced. framework of overall control over the CIS activities and to provide a reasonable level of assurance that
b. Concentration of programs and data – transaction and master file data are often the overall objectives of internal controls are achieved. General controls may include:
concentrated, usually, in machine-readable form, either, in one computer installation located a. Organization and management controls – designed to define strategic direction and establish
centrally or in a number of installations distributed throughout the entity. an organizational framework over CIS activities, including:
NATURE OF PROCESSING – the use of computers may result in the design of systems that provides  Strategic information technology plan.
less visible evidence than those using manual procedures. In addition, these systems may be accessible  CIS policies and procedures.
by a larger number of persons. System characteristics that may result from the nature of CIS processing  Segregation of incompatible functions.
include:  Monitoring of CIS activities performed by third party consultants.
a. Absence of input documents – data may be entered directly into the computer system without b. Development and maintenance controls – designed to provide reasonable assurance that
supporting document. In some on-line transaction systems, written evidence of individual data systems are developed or acquired, implemented and maintained in an authorized and efficient
entry authorization may be replaced by other procedures such as authorization controls manner. They also typically designed to establish control over:
contained in computer programs.  Project initiation, requirements definition, systems design, testing, data conversion,
b. Lack of visible audit trail – the transaction trail may be partly in machine-readable form and go-live decision, migration to production environment, documentation of new or
may exist only for a limited period of time. revised systems and user training.
c. Lack of visible output – certain transactions or results of processing may not be printed or  Acquisition and implementation of off-the-shelf packages.
only a summary of data may be printed.  Request for changes to the existing systems.
 Acquisition, implementation and maintenance of system software.
 c. Delivery and support controls – designed to control the delivery of CIS services including:  CIS Director – exercise control over the CIS operation.
 Establishment of service level agreements against which CIS services are measured.  Systems analyst – designs new systems, evaluates and improves existing systems and
 Performance and capacity management controls. prepares specifications for programmers.
 Event and problem management controls.  Programmers – guided by the specifications of the systems analyst, the programmers
 Disaster recovery/contingency planning, training and file backup. write a program, tests and debugs such programs and prepares the computer
 Computer operations controls. operating instructions.
 Systems security. i. Systems programmer – in charge of programs that make the hardware
 Physical and environment controls. works such as operating systems, telecommunications monitor and
database management system.
d. Monitoring controls – designed to ensure that CIS controls are working effectively as ii. Applications programmer – in charge of programs for specific use.
planned. These include:  Computer operator – using the program and detailed operating instructions prepared
 Monitoring of key CIS performance indicators. by the programmer, the computer operator operates the computer to process
 Internal/external CIS audits. transactions.
 Data entry operator – prepares and verifies input data for processing.
Alternatively, general controls can be categorized into the following domains as per AICPA audit guide:  Data Librarian – maintains custody of systems documentation, programs and files.
a. Organizational and operation controls – segregation of duties provides the control  Control group – reviews all input procedures, monitors computer processing,
mechanism for maintaining an independent processing environment, thus meeting control follows up data processing errors, reviews the reasonableness of output and
objectives. distributes output to authorized personnel.
 Segregate functions between the EDP department and user departments. b. Systems development and documentation controls – within EDP, new systems are
 Do not allow EDP department to initiate or authorize transactions. developed that either replace an old system or enhance present systems. This environment
 Segregate functions within the EDP department. requires unique controls to ensure that the integrity of the overall system is maintained.
 User department must participate in systems design.
Auditor’s test of control - should include inquiry, observation, discussion and review of an  Each system must have written specifications which are reviewed and approved by
appropriate organization chart, responsibility for initiating and authorizing transactions, management and by user departments.
discrepancies should be reported and the appropriate controls recommended.  Both users and EDP personnel must test new systems.
 Management, users and EDP personnel must approve new systems before they are
place into operation.
 All master file and transaction file conversion should be controlled to prevent
unauthorized changes and to verify the results on a 100% basis.
 After a new system is operating, there should be proper approval of all program
changes.
 Proper documentation standards should exist to assure continuity of the system.

Auditor’s test of control – should determine that the system development procedures that exist
are properly functioning and are adequately documented and that all documentation pertaining
to procedures, programs or methodologies, should be up to date and written in clear and
concise language.

c. Hardware and systems software controls – the reliability of EDP hardware has increased
dramatically over the years not only due to the advancements in technology but also due to the
controls built into the mechanism to detect and prevent equipment failures.
 Auditor should be aware of the control features inherent in computer hardware,
Figure 5 – Sample Organizational Structure Within a CIS Department operating system and other supporting software and ensure that they are utilized to
the maximum possible extent.
  Systems software should be subjected to the control procedures as those applied to authorization to process transactions. An independent party should review and evaluate
installation of and changes to application programs. proposed systems at critical stages of development and review and test computer processing
 Examples of hardware and software controls include: activities.
i. Parity check – a special bit is added to each character stored in memory  A control group should receive all data to be processed, ensure that all data are
that can detect if the hardware loses a bit during the internal movement of a recorded, follow up errors during processing and determine that transactions are
character. corrected and resubmitted by the proper user personnel and verify the proper
 Echo check – primarily used in telecommunications transmissions. During the distribution of output.
sending and receiving of characters, the receiving hardware repeats back to the  To prevent unnecessary stoppages or errors in processing, the following specific
sending hardware what it received and the sending hardware controls should be implemented:
ii. automatically resends any characters that it detects were received i. Operations run manual – specifies in details, the “the how to’s” for each
incorrectly. application to enable the computer operator to respond to any errors that
iii. Diagnostic routines – hardware or software supplied by the manufacturer may occur.
to check the internal operations and devices within the computer system. ii. Backup and recovery – to ensure preservation of historical records and the
These routines are often activated when the system is booted up. ability to recover from an unexpected error, files created within EDP are
iv. Boundary protection – most CPUs have multiple jobs running backed up in a systematic manner (i.e. “snapshot” in a database system,
simultaneously. To ensure that these simultaneous jobs cannot destroy or grand-father-son method, off-site storage of critical files)
change the allocated memory of another job, the system contains boundary iii. Contingency processing – detailed contingency processing plans should be
protection controls. developed to prepare for natural disasters, man-made disasters or general
v. Periodic maintenance – the system should be examined periodically by a hardware failures that disable the data center (i.e. very hot sites, hot sites
qualified service technician to help prevent unexpected hardware failures. and cold sites)
iv. File protection ring – used to ensure that an operator does not use a
Auditor’s test of control – should test whether the controls are functioning as intended. In magnetic tape as a tape to write on when it actually has critical information
addition, audit software can be used to analyze the data collected by the diagnostic routines and on it.
detect significant trends. v. Internal and external labels – allows the computer operator to determine
whether the correct file has been selected for processing.
d. Access controls – the computer system should have adequate security controls to protect
equipment, files and programs. Auditor’s test of control – normally include identification, observation and inquiry. While
 Access to program documentation should be limited to those persons who require it some of the data and procedural controls are easy to implement, other controls such as
in the performance of their duties. contingency processing are more difficult and costly to implement. The auditor should
 Access to data files and programs should be limited to those individuals authorized to determine that these controls are either present or that management has accepted the related
process data. risks and that all exceptions are scrutinized.
 Access to computer hardware should be limited to authorized individuals such as
computer operators and their supervisors. INTERNAL CONTROL IN A CIS ENVIRONMENT – APPLICATION CONTROLS
 Access to the EDP environment is affected both physically and electronically.
i. Physical access controls – limited physical access (i.e. guard, automated CIS APPLICATION CONTROLS – relate to a specific application instead of multiple applications
key cards, manual key locks as well as new access through fingerprints or and are implemented to establish specific control procedures over the application systems in order to
palm prints) and use of ID badge and visitor entry logs. provide reasonable assurance that all transactions are authorized, recorded and are processed completely,
ii. Electronic access controls – access control software/user identification (i.e. accurately and on a timely basis. CIS application controls include:
identification code and passwords), call back and encryption boards. a. Controls over input – designed to provide assurance that:
 Transactions are properly authorized before being processed by the computer.
Auditor’s test of control – include attempting to violate the system, either physically or  Transactions are accurately converted into machine readable form and recorded in
electronically, or reviewing any unauthorized access that has been recorded. The tests should the computer data files.
also ensure that all security violations are followed up on to ensure they are errors.  Transactions are not lost, added, duplicated or improperly changed.
e. Data and procedural controls – a written manual of systems and procedures should be  Incorrect transactions are rejected, corrected and if necessary, resubmitted on a
prepared for all computer operations and should provide for management’s general or specific timely basis.
 b. Controls over processing and computer data files – designed to provide a reasonable
Input controls attempt to ensure the validity, accuracy and completeness of data entered into a assurance that:
CIS. Input controls may be subdivided into:  Transactions, including system generated transactions, are properly processed by the
 Data observation and recording, includes: computer.
i. The use of pre-numbered and pre-printed documents.  Transactions are not lost, added, duplicated or improperly changed.
ii. Keeping blank forms under lock and key.  Processing errors are identified and corrected on a timely basis.
iii. Online computer systems offer menu screens, preformatted screens, use of
scanners that read bar codes and use of feedback mechanisms to approve a Processing controls help assure that data are processed accurately and completely and that no
transaction. unauthorized transactions are included, that proper files and programs are included and that all
iv. Self-checking digit – mathematically calculated digit which is usually transactions can be easily traced. Processing controls include:
added to a document number to detect common trans positional errors in  Manual cross checks – include checking the work of another employee,
data submitted for processing. reconciliations and acknowledgments.
 Data transcription (batching and converting), includes:  Processing logic checks – many of the programmed edit checks used in the input
i. Carefully structured source documents and input screens. stage may also be employed during processing.
ii. Control totals – computed based on the data submitted for processing.  Run-to-run totals – batched data should be controlled during processing runs so that
They are further categorized into financial/amount control/ batch/proof no records are omitted or incorrectly inserted into a transaction filed.
total, hash total and record count.  File and program changes – to ensure that transactions are posted to the proper
iii. Key verification requiring data to be entered twice. account, master files should be checked for correctness and programs should be
iv. Visual verification validated.
 Edit tests of transaction data, includes: Audit trail linkages – a clear audit trail is needed to enable individual transactions to be traced, to
i. Validity check – a check which allows only valid transactions or data to be provide support in general ledger balances, to prepare financial reports and to correct transaction errors
entered into the system (i.e. M – male; F – female). or lost data. AUDIT APPROACHES AND CAATs
ii. Reasonableness and limit check – these tests determine whether amounts
entered are too high, too low or unreasonable (i.e. hours work should not A CIS audit may be done in two major approaches and some add a third approach as follows:
exceed 40 hours a week and increase in salary is reasonable compared to a. Auditing around the computer – the auditor ignores or bypasses the computer processing
salary base). function of an entity’s EDP system. This approach focuses on examining source documents or
Field check – a check that makes certain that only numbers, alphabetical characters, special input and checking the final output based on those documents. This method can only be used if
characters and proper negative and positive signs are accepted into a specific data all of the following conditions are met:
iii. field where they are required (i.e. numbers do not appear in fields reserved  The source documents must be available in a form readable by a human.
for words).  The documents must be maintained in a manner that makes it possible to locate them
iv. Sequence check – a check that requires successive input data are in some for auditing purposes.
prescribed order to avoid missing out an input.  The output must be listed in sufficient detail to enable the auditor to trace individual
v. Field size check – requires an error message to result if an exact number of transactions from the source documents to the output and vice versa.
characters are to be inputted and is not met. b. Auditing through the computer – the auditor enters the client’s system and examines directly
vi. Logic check – ensures that illogical combinations of inputs are not accepted the computer and its system and application software. The focus of this approach is on the
into the computer. effectiveness of computer controls.
vii. Range check – particular fields fall within specified ranges. c. Auditing with the computer – the computer is used as an audit tool.
 Transmission of transaction data, includes:
i. Echo check – transmitting data back to the originating terminal for COMPUTER ASSISTED AUDIT TOOLS/TECHNIQUES (CAATs) are computer programs and
comparison with the transmitted data. data the auditor uses as part of the audit procedures to process data of audit significance contained in an
ii. Redundancy data check – transmitting additional data to aid in the entity’s information systems. The data may be transaction data on which the auditor wishes to perform
verification process. tests of controls or substantive procedures or they may be other types of data.
iii. Completeness check – verifying that all required data have been entered
and transmitted. CAATs may be used in performing various auditing procedures, including the following:
a. Tests of details of transactions and balances.
 b. Analytical procedures. b. Encryption – involves conversion of plain text data to cipher text data to make EDI messages
c. Tests of general controls. unreadable to unauthorized persons.
d. Sampling programs to extract data for audit testing. c. Value added network (VAN) controls – a VAN is a computer service organization that
e. Tests of application controls. provides network, storage and forwarding (mailbox) services for EDI messages.
f. Reperforming calculations performed by the entity’s accounting systems. b. Code comparison – programs that allow the auditor to compare computerized files.
c. Flowcharting software – used to produce a flowchart of a program’s logic and may be used
CAATs FOR TEST OF CONTROLS both in mainframe and microcomputers.
d. Program tracing and mapping – program tracing is a technique in which instruction executed
PROGRAM ANALYSIS – techniques that allow the auditor to gain an understanding of the client’s is listed along with control information affecting that instruction. Program mapping identifies
program. sections of code which may be a potential source of abuse.
a. Code review – involves actual analysis of the logic of the program’s processing routines. e. Snapshot – this technique takes a picture of the status of program execution, intermediate
 results or transaction data at specified processing points in the program.

c. Controls over output – designed to provide reasonable assurance that: PROGRAM TESTING – involves the use of auditor-controlled actual or simulated data.
 Results of processing are accurate. a. Historical audit techniques – test the audit computer controls at a point in time.
 Access to output is restricted to authorized personnel.  Test data – a set of dummy transactions specifically designed to test the control
 Output is provided to appropriate authorized personnel on a timely basis. activities that management claims to have incorporated into the processing programs.
Test data shifts control over processing to the auditor by using the client’s software
The following controls are frequently used to maintain the integrity of processing: to process auditor prepared test data that includes both valid and invalid conditions.
 Control total – are compared with those computed prior to processing to ensure If embedded controls are functioning properly, the client’s software should detect all
completeness of information. the exceptions planted in the auditor’s test data. This technique would be ineffective
 Limiting the quantity of output and total processing time if the client does not use the software tested.

REVIEW OF CIS CONTROLS – general CIS controls that relate to some or all applications are
typically interdependent controls in that their operation is often essential to the effectiveness of CIS
application controls. Also, the general CIS controls may have a pervasive effect on the processing of
transactions in application systems. If these controls are not effective, there may be a risk that
misstatements might occur and go undetected in the application system. Thus, weakness in general CIS
controls may preclude testing certain CIS application controls. Accordingly, it may be more efficient to
review the design of the general controls first before reviewing the applications controls. CIS application
controls which the auditor may wish to test include:
a. Manual controls exercised by the user.
b. Controls over system output.
c. Programmed controls procedures.

ELECTRONIC DATA INTERCHANGE

Electronic data interchange (EDI) is the electronic exchange of transactions from one entity’s computer
to another entity’s computer through an electronic communications network. In electronic fund transfers, Figure 2 – Test Data
for example, electronic transactions replace checks as a means of payment. EDI controls include:
a. Authentication – controls must exist over the origin, proper submission and proper delivery of  Base case system evaluation (BCSE) – develops test data that purports to test every
EDI communications to ensure that the EDI messages are accurately sent and received to and possible condition that an auditor expects a client’s software will confront. BCSE
from authorized customers and suppliers. provides an auditor with much more assurance than test data alone but it is expensive
to develop and therefore cost-effective only in large computer systems.
 Integrated test facility - a variation of test data whereby simulated data and actual
data are run simultaneously with the client’s program and computer results are b. Continuous audit techniques – test the audit computer controls throughout the period.
compared with auditor’s predetermined results. The technique provides assurance  Audit modules – programmed audit routines incorporated into application programs
that the software tested is actually used to prepare financial reports. that are designed to perform an audit function such as a calculation or logging
activity.
 System control audit review files (SCARFs) – logs that collect transaction
information for subsequent review and analysis by the auditor.
 Audit hooks – “exits” in an entity’s computer program that allows an auditor to
insert commands for audit processing.
 Transaction tagging – a transaction record is “tagged” and then traced through
critical points in the information system.
 Extended records – this technique attaches additional audit data which would not
otherwise be saved to regular historic records and thereby helps to provide a more
complete audit trail.

REVIEW OF OPERATING SYSTEM AND OTHER SYSTEMS SOFTWARE

a. Job accounting data/operating system logs – these logs that track particular functions,
include reports of the resources used by the computer system. The auditor may be able to use
Figure 3 – Integrated Test Facility them to review the work processed, to determine whether unauthorized applications were
processed and to determine that authorized applications were processed properly.
 Parallel simulation – it involves processing of client’s live (actual) data utilizing an b. Library management software – this logs changes in programs, program modules, job
auditor’s generalized audit software. If an entity’s controls have been operating control language and other processing activities.
effectively, the client’s software should generate the same exceptions as the same as c. Access control and security software – this restricts access to computers to authorized
the auditor’s software. This technique should be performed on a surprise basis if personnel through techniques such as only allowing certain users with “read-only” access or
possible. through use of encryption.

OTHER CAATs

Other techniques which an auditor can use in the audit under a CIS environment include:
a. Audit software – computer programs used to process data of audit significance from the
client’s accounting system.
 Package programs (also known as generalized audit software) – programs that can
be used in numerous clients. They can be designed to perform different audit tasks
such as:
 Purpose-written programs (also known as special-purpose or custom-designed
programs) – computer programs designed for specific audit tasks.
 Utility programs – part of the systems software that performs routine CIS tasks.
They are generally not designed for audit purposes.
b. Electronic spreadsheets – contain a variety of pre-defined mathematical operations and
functions that can be applied to data entered into the cells of a spreadsheet.
c. Automated work paper software – designed to generate a trial balance, lead schedules and
Figure 4 – Parallel Simulation other reports useful for the audit. The schedules and reports can be created once the auditor has
either manually entered or electronically imported through using the client’s account balance
 Control reprocessing – a variation of parallel simulation which involves processing information into the system.
of actual client data through a copy of the client’s application program.
 d. Text retrieval software – allow the user to view any text that is available in an electronic  Greater emphasis on tests of details of transactions and balances and analytical
format. The software program allows the user to browse through text files much as a user review procedures, which may increase the effectiveness of certain CAATs,
would browse through books. particularly audit software.
e. Database management systems – manage the creation, maintenance and processing of  The application of audit procedures to ensure the proper functioning of the CAATs
information. The data are organized in the form of predefined records and the database and validity of the entity’s data.
software is used to select, update, sort, display or print the records. b. In cases where smaller volumes of data are processed, manual methods may be more cost-
f. Public databases – may be used to obtain accounting information related to particular effective.
companies and industries. c. Adequate technical assistance may not be available to the auditor from the entity, thus, making
g. Word processing software the use of CAATs impracticable.
d. Certain audit package programs may not operate on small computers, thus, restricting the
auditor’s choice of CAATs. However, the entity’s data files may be copied and processed on
USING AND CONTROLLING CAATs another suitable computer.

Several factors are to be considered if CAATs should be used in the audit including:
a. Degree of technical competence in CIS.
b. Availability of CAATs and appropriate computer facilities.
c. Impracticability of manual tests.
d. Effectiveness and efficiency of CAATs.
e. Timing of test

Procedures to control the use of audit software may include:

a. Participating in the design and testing of computer programs.
b. Checking the coding of the program.
c. Requesting the client’s CIS personnel to review the operating system instructions.
d. Running the audit software on small test files before running them on main data files.
e. Ensuring that the correct files were used.
f. Obtaining evidence that the audit software functioned as planned.
g. Establishing appropriate security measures to safeguard against manipulation of the entity’s
data files.

Procedure to control the use of test data may include:

a. Controlling the sequence of submission of test data where it spans several processing cycles.
b. Performing test runs.
c. Predicting the results of test data.
d. Confirming that the current version of the program was used.
e. Obtaining reasonable assurance that the programs used to process the test data were used by
the entity throughout the applicable audit period.

USING CAATs IN SMALL BUSINESS COMPUTER ENVIRONMENTS

The general principles outlined are applicable in small business computer environments. However, the
following points should be given special consideration in these environments:
a. The level of general CIS controls may be such that the auditor will place less reliance on the
system of internal control resulting in: REVIEW QUESTION:
 processing.
c. Multi-processing allows the sharing of a central memory during processing.
MULTIPLE CHOICE. Read carefully the questions below and choose the best statement d. Multi-processing allows multiple programs to be executed at exactly the same
among the choices. Write the letter corresponding to your answer on the sheet provided along time.
with this questionnaire. Erasures are strictly not allowed.
6. The most common type of primary storage in a computer is referred to as:
1. Which statement is correct regarding personal computer systems? a. CMAN.
a. Personal computers or PCs are economical yet powerful self-contained general b. RAM.
purpose computers consisting typically of a central processing unit (CPU), c. ROM.
memory, monitor, disk drives, printer cables and modems. d. Flash memory.
b. Programs and data are stored only on non-removable storage media.
c. Personal computers cannot be used to process accounting transactions and 7. Which of the following is not a basis of classifying an on-line computer system?
produce reports that are essential to the preparation of financial statements. a. How information is processed.
d. Generally, CIS environments in which personal computers are used are the b. How information is entered into the system.
same with other CIS environments. c. When the results are available to the user.
d. The type of information to be processed.
2. Which computer application is most frequently used to analyze numbers and financial
information?
a. Computer graphics programs. 8. Which statement is incorrect regarding personal computer configurations?
b. WAN applications. a. The stand-alone workstation can be operated by a single user or a number of
c. Spreadsheets. users at different times accessing the same or different programs.
d. Word processing programs. b. A stand-alone workstation may be referred to as a distributed system.
c. A local area network is an arrangement where two or more personal computers
3. Analysis of data in a database using tools which look for trends or anomalies without are linked together through the use of special software and communication
knowledge in advance of the meaning of the data is referred to as: lines.
a. Artificial intelligence. d. Personal computers can be linked to servers and used as part of such systems,
b. Data mining. for example, as an intelligent on-line workstation or as part of a distributed
c. Virtual reality. accounting system.
d. Transitory analysis.
9. Computer systems that enable users to access data and programs directly through
4. Which of the following lists comprises of the components of the data processing cycle? workstations are referred to as:
a. Batching, processing, output. a. On-line computer systems.
b. Collection, refinement, processing, maintenance, output. b. Personal computer systems
c. Input, classifying, batching, verification, transmission. c. Database management systems (DBMS).
d. Collection, refinement, storing, output. d. Database systems.

5. Two of the most common advanced processing procedures are multi-processing and 10. On-line systems allow users to initiate various functions directly. Such functions
multi-programming. Which one of the following statements about these processing include:
procedures is false? a. Entering transactions.
a. Multi-programming allows multiple programs to be executed at exactly the b. Making inquiries
same time. c. C. Requesting reports.
b. Multi-programming switches back and forth between programs during d. Updating master files.
 locations all at the same time.
a. A, B, C and D.
b. A, B and C. 13. It is a communication system that enables computer users to share computer
c. A and B. equipment, application software, data and voice and video transmissions.
d. A and D.
a. Network.
11. Many different types of workstations may be used in on-line computer systems. The b. File server.
functions performed by these workstations least likely depend on their: c. Host.
d. Client.
a. Logic.
b. Transmission. 14. A type of network that multiple buildings are close enough to create a campus, but
c. Storage. the space between the buildings is not under the control of the company is:
d. Cost. a. Local Area Network (LAN).
b. Metropolitan Area Network (MAN).
c. Wide Area Network (WAN).
d. World Wide Web (WWW).

15. Which of the following is least likely a characteristic of Wide Area Network (WAN)?
12. Which statement is incorrect regarding workstations? a. Created to connect two or more geographically separated LANs.
a. Workstations may be located either locally or at remote sites. b. Typically involves one or more long-distance providers, such as a telephone company
b. Local workstations are connected directly to the computer through cables. to provide the connections.
c. Remote workstations require the use of telecommunications to link them to the c. WAN connections tend to be faster than LAN.
computer. d. Usually more expensive than LAN.
d. Workstations cannot be used by many users, for different purposes, in different
NOTE: Answers to the illustrative problems shall be discussed either thru face to face or online depending on the current situation.

REFLECTION
Summary Clarifications