1

AUDITING IN A COMPUTER INFORMATION SYSTEMS (CIS) ENVIRONMENT

Related PSAs/PAPSs: PSA 401; PAPS 1001, 1002, 1003, 1008 and 1009

PSA 401 – Auditing in a Computer Information Systems (CIS) Environment

 A CIS environment exists when a computer of any type or size is involved in the
processing by the entity of financial information of significance to the audit, whether that
computer is operated by the entity or by a third party.
 The auditor should consider how a CIS environment affects the audit.
 The use of a computer changes the processing, storage and communication of financial
information and may affect the accounting and internal control systems employed by the
entity.

In a CIS environment -
 The auditor needs to obtain a sufficient understanding of the accounting and internal
control system affected by the CIS environment.
 The auditor needs to determine the effect of the CIS environment on the assessment of
overall risk and of risk at the account balance and class of transactions level.
 Design and perform appropriate tests of controls and substantive procedures.

Significance - relates to materiality of the financial statement assertions affected by the

computer processing.

The following indicates a complexity of computer processing:

 Transactions are exchanged electronically with other organizations without manual
review of their propriety.
 The volume of the transactions is such that users would find it difficult to identify and
correct errors in processing.
 The computer automatically generates material transactions or entries directly to
another applications.

The nature of the risks and the internal characteristics in CIS environment that the auditors are
mostly concerned include the following:
 Lack of segregation of functions.
 Lack of transaction trails.
 Dependence of other control over computer processing.

The following are the risk characteristics associated with CIS environment:
 Errors embedded in an application’s program logic maybe difficult to manually detect on
a timely basis.
 Many control procedures that would ordinarily be performed by separate individuals in
manual system maybe concentrated in CIS.
 The potential unauthorized access to data or to alter them without visible evidence
maybe greater.

The auditor should understand the following significance and complexity of the CIS activities:
 The organizational structure of the client’s CIS activities.
 Lack of transaction trails.
 2

 The significance and complexity of computer processing in each significant accounting

application.

PAPS 1001 – CIS Environments – Stand-Alone Personal Computers

Personal computers or PCs are economical yet powerful self-contained general purpose
computers consisting typically of a central processing unit (CPU), memory, monitor, disk drives,
printer cables and modems.

A personal computer can be used in various configurations, including

 A stand-alone workstation operated by a single user or a number of users at different
times.
 A workstation which is part of a local area network of personal computers.
 A workstation connected to a server.

Personal computer configurations can be:

 The stand-alone workstation can be operated by a single user or a number of users at
different times accessing the same or different programs.
 A local area network is an arrangement where two or more personal computers are
linked together through the use of special software and communication lines.
 Personal computers can be linked to servers and used as part of such systems, for
example, as an intelligent on-line workstation or as part of a distributed accounting
system.

Characteristics of personal computers:

 They are small enough to be transportable.
 They can be placed in operation quickly.
 The operating system software is less comprehensive than that found in larger computer
environments.

A software package is typically used without modifications of the programs.

A hard disk is not normally a removable storage media.

A virus is a computer program (a block of executable code) that attaches itself to a legitimate
program or data file and uses it as a transport mechanism to reproduce itself without the
knowledge of the user.

Internal control in personal computer environment includes the following:

 Generally, the CIS environment in which personal computers are used is less structured
than a centrally-controlled CIS environment.
 Controls over the system development process and operations may not be viewed by
the developer, the user or management as being as important or cost-effective.
 In almost all commercially available operating systems, the built-in security provided has
gradually increased over the years.
 3

Personal computers are susceptible to theft, physical damage, unauthorized access or misuse
of equipment. A physical security to restrict access to personal computers when not in use
includes the following:
 Using door locks or other security protection during non-business hours.
 Fastening the personal computer to a table using security cables.
 Locking the personal computer in a protective cabinet or shell.

The following are controls over removable storage media to prevent misplacement, alteration
without authorization or destruction:
 Placing responsibility for such media under personnel whose responsibilities include
duties of software custodians or librarians.
 Using a program and data file check-in and check-out system and locking the
designated storage locations.
 Keeping current copies of diskettes, compact disks or back-up tapes and hard disks in a
fireproof container, either on-site, off-site or both.

The following procedures protect critical and sensitive information from unauthorized
access in a personal computer environment:
 Using secret file names and hiding the files..
 Employing passwords.
 Segregating data into files organized under separate file directories.

Back-up - refers to plans made by the entity to obtain access to comparable hardware, software
and data in the event of their failure, loss or destruction.

The effect of personal computers on the accounting system and the associated risks will
depend on:
 The extent to which the personal computer is being used to process accounting
applications.
 The type and significance of financial transactions being processed.
 The nature of files and programs utilized in the applications.
.
The auditor may often assume that control risk is high in personal computer systems since , it
may not be practicable or cost-effective for management to implement sufficient controls to
reduce the risks of undetected errors to a minimum level. This least likely entail
 More physical examination and confirmation of assets.
 Larger sample sizes.
 Greater use of computer-assisted audit techniques, where appropriate.

PAPS 1002 – CIS Environments – On-Line Computer Systems

On-line computer systems refers to computer systems that enable users to access data and
programs directly through workstations.

On-line systems allow users to initiate various functions directly. Such functions include:
 Entering transactions
 Requesting reports
 Making inquiries
 4

 Updating master files

Many different types of workstations may be used in on-line computer systems. The functions
performed by these workstations depend on their
 Logic
 Transmission
 Storage

Types of workstations include

 General Purpose Terminals
 Special Purpose Terminals.

Special Purpose Terminals include point of sale devices

Automated Teller Machine is a Special Purpose Terminal used to initiate, validate, record,
transmit and complete various banking transactions

Workstations may be located either locally or at remote sites. Local workstations are
connected directly to the computer through cables. Remote workstations require the use of
telecommunications to link them to the computer.

On-line computer systems may be classified according to

 How information is entered into the system.
 How it is processed.
 When the results are available to the user.
.
In an on-line/real time processing system, individual transactions are entered at workstations,
validated and used to update related computer files immediately.

On-Line/Memo Update (and Subsequent Processing) combines on-line/real time processing

and on-line/batch processing.

Network is a communication system that enables computer users to share computer

equipment, application software, data and voice and video transmissions.

Metropolitan Area Network (MAN) is a type of network that multiple buildings are close
enough to create a campus, but the space between the buildings is not under the control of the
company.

Wide Area Network(WAN) has the following characteristics:

 Created to connect two or more geographically separated LANs.
 Typically involves one or more long-distance providers, such as a telephone company to
provide the connections.
 Usually more expensive than LAN.

Gateway is a hardware and software solution that enables communications between two
dissimilar networking systems or protocols.

Router is a device that works to control the flow of data between two or more network
segments.
 5

The following are the undesirable characteristics of on-line computer systems:

 Unlimited access of users to all of the functions in a particular application.

 Possible lack of visible transaction trail.
 Potential programmer access to the system.

Certain general CIS controls that are particularly important to on-line processing that includes:
 Access controls.
 System development and maintenance controls.
 Use of anti-virus software program.

Certain CIS application controls that are particularly important to on-line processing includes:
 Pre-processing authorization.
 Cut-off procedures.
 Balancing.

Risk of fraud or error in on-line systems may be reduced in the following circumstances:
 If on-line data entry is performed at or near the point where transactions originate, there
is less risk that the transactions will not be recorded.
 If invalid transactions are corrected and re-entered immediately, there is less risk that
such transactions will not be corrected and re-submitted on a timely basis.
 If data entry is performed on-line by individuals who understand the nature of the
transactions involved, the data entry process may be less prone to errors than when it is
performed by individuals unfamiliar with the nature of the transactions.

Risk of fraud or error in on-line computer systems may be increased for the following reasons:
 If workstations are located throughout the entity, the opportunity for unauthorized use of
a workstation and the entry of unauthorized transactions may increase.
 Workstations may provide the opportunity for unauthorized uses such as modification of
previously entered transactions or balances.
 If on-line processing is interrupted for any reason, for example, due to faulty
telecommunications, there may be a greater chance that transactions or files may be lost
and that the recovery may not be accurate and complete.

The following matters are of particular importance to the auditor in an on-line computer system:
 Authorization, completeness and accuracy of on-line transactions.
 Integrity of records and processing, due to on-line access to the system by many users
and programmers.
 Changes in the performance of audit procedures including the use of CAAT's.

PAPS 1003 – CIS Environments – Database Systems

Database – is a collection of data that is shared and used by a number of different users for
different purposes.

Some characteristics of a database system include the following:

 Individual applications share the data in the database for different purposes.
 6

 A software facility is required to keep track of the location of the data in the database.
 Coordination is usually performed by a group of individuals whose responsibility is
typically referred to as "database administration."

Database administration tasks typically include

 Defining the database structure.

 Maintaining data integrity, security and completeness.
 Coordinating computer operations related to the database.
 Monitoring system performance.
 Providing administrative support.

General CIS controls normally have a greater influence than CIS application controls on
database systems due to data sharing, data independence and other characteristics of
database systems.

General CIS controls of particular importance in a database environment may be described as:

 Since data are shared by many users, control may be enhanced when a standard
approach is used for developing each new application program and for application
program modification.
 User access to the database can be restricted through the use of passwords.
 Responsibilities for performing the various activities required to design, implement and
operate a database are divided among technical, design, administrative and user
personnel.

Mandatory access controls require a database administrator to assign security attributes to

data that cannot be changed by database users.

History-dependent restriction is a discretionary access control wherein users are permitted or

denied access to data resource depending on the time series of accesses to and actions they
have undertaken on data resources.

The effect of a database system on the accounting system and the associated risks will
depend on:
 The extent to which databases are being used by accounting applications.
 The type and significance of financial transactions being processed.
 The nature of the database, the DBMS, the database administration tasks and the
applications.

Audit procedures in a database environment will be affected principally by the extent to which
the data in the database are used by the accounting system.

PAPS 1008 – Risk Assessments and Internal Control – CIS Characteristics and
Considerations

The characteristics of a CIS organizational structure includes:

 7

 Certain data processing personnel may be the only ones with a detailed knowledge of
the interrelationship between the source of data, how it is processed and the distribution
and use of the output.
 Many conventional controls based on adequate segregation of incompatible functions
may not exist, or in the absence of access and other controls, may be less effective.
 Transaction and master file data are often concentrated, usually in machine-readable
form, either in one computer installation located centrally or in a number of installations
distributed throughout an entity.

System characteristics that may result from the nature of CIS processing include:
 Absence of input documents.
 Lack of visible transaction trail.
 Lack of visible output.

The development of CIS will generally result in design and procedural characteristics that are
different from those found in manual systems. These different design and procedural aspects of
CIS include:
 Consistency of performance.
 Programmed control procedures.
 Vulnerability of data and program storage media

In a CIS environment –

 Manual and computer control procedures comprise the overall controls affecting the CIS
environment (general CIS controls) and the specific controls over the accounting
applications (CIS application controls).
 The purpose of general CIS controls is to establish a framework of overall control over
the CIS activities and to provide a reasonable level of assurance that the overall
objectives of internal control are achieved.
 The purpose of CIS application controls is to establish specific control procedures over
the application systems in order to provide reasonable assurance that all transactions
are authorized and recorded, and are processed completely, accurately and on a timely
basis.

General CIS controls may include:

 Organization and management controls.
 Delivery and support controls.
 Development and maintenance controls.

CIS application controls include:

 Controls over input.
 Controls over processing and computer data files.
 Controls over output.

In the review of general CIS controls and CIS application controls:

 The auditor should consider how these general CIS controls affect the CIS applications
significant to the audit.
 8

 General CIS controls that relate to some or all applications are typically interdependent
controls in that their operation is often essential to the effectiveness of CIS application
controls.
 Control over input, processing, data files and output may be carried out by CIS
personnel, by users of the system, by a separate control group, or may be programmed
into application software.

The evaluation of general CIS controls and CIS application controls includes:
 The general CIS controls may have a pervasive effect on the processing of transactions
in application systems.
 If general CIS controls are not effective, there may be a risk that misstatements might
occur and go undetected in the application systems.
 Manual procedures exercised by users may provide effective control at the application
level.
.
PAPS 1009 – Computer-Assisted Audit Techniques (CAATs)

Computer assisted audit techniques (CAATs) refer to the applications of auditing procedures
using the computer as an audit tool.

CAATs are often an efficient means of testing a large number of transactions or controls over
large populations.

To ensure appropriate control procedures, the presence of the auditor is not necessarily
required at the computer facility during the running of a CAAT.

The general principles outlined in PAPS 1009 apply in small entity IT environments.

Package or generalized audit software - consists of generalized computer programs designed

to perform common audit tasks or standardized data processing functions.

Audit automation includes

 Expert systems.
 Tools to evaluate a client’s risk management procedures.
 Corporate and financial modeling programs for use as predictive audit tests.

A safeguard in the control system on which the auditor might rely when conducting a preliminary
survey in connection with the audit of an EDP department include:

 The control group works with user organizations to correct rejected input.

Compatibility test – is an on-line access control that checks whether the user’s code number is
authorized to initiate a specific type of transaction or inquiry.

Self-checking digit – is a control procedure that could be used in an on-line system to provide an
immediate check on whether an account number has been entered on a terminal accurately. It
is a control designed to catch errors at the point of data entry.
 9

Program documentation is a control designed primarily to ensure that programs are kept up to
date and perform as intended.

Some of the more important controls that relate to automated accounting information systems
that are classified as input validation routines are:
 validity checks,
 limit checks,
 field checks, and
 sign tests.

Most of today’s computer systems have hardware controls that are built in by the computer
manufacturer. Common hardware controls are
 Duplicate circuitry,
 Echo check, and
 Dual reading

Firmware is a concept when computer manufacturers are now installing software programs
permanently inside the computer as part of its main memory to provide protection from erasure
or loss if there is interrupted electrical power.

When both computer operators and programmers have unlimited access to the programs and
data files, the situation represents a lack of internal control in a computer-based information
system.

In an automated payroll processing environment, a department manager substituted the time

card for a terminated employee with a time card for a fictitious employee. The fictitious\
employee had the same pay rate and hours worked as the terminated employee. Hash total is
the best control technique to detect this action using employee identification numbers.

An employee in the receiving department keyed in a shipment from a remote terminal and
inadvertently omitted the purchase order number. The best systems control to detect this error
would be completeness test.

The reporting of accounting information plays a central role in the regulation of

businessoperations. Preventive controls are an integral part of virtually all accounting
processing systems, and much of the information generated by the accounting system is used
for preventive control purposes. The following are essential elements of a sound preventive
control system:
 Separation of responsibilities for the recording, custodial, and authorization functions.
 Sound personnel policies.
 Documentation of policies and procedures.

The most critical aspect regarding separation of duties within information systems is between
programmers and computer operators

Whether or not a real time program contains adequate controls is most effectively determined
by the use of an integrated test facility.
 10

Compatibility tests are sometimes employed to determine whether an acceptable user is

allowed to proceed. In order to perform compatibility tests, the system must maintain an access
control matrix. The items that are part of an access control matrix include:
 List of all authorized user code numbers and passwords.
 List of all files maintained on the system.
 Record of the type of access to which each user is entitled.

The following input validation routines are appropriate in a real time operation.
 Field check
 Sign check
 Redundant data check

The following controls are processing control designed to ensure the reliability and accuracy of
data processing:

 Limit test
 Validity check test

Characteristic that distinguishes computer processing from manual processing is:

 Computer processing virtually eliminates the occurrence of computational error normally
associated with manual processing.

When systems programmer designs systems for computerized applications and maintains
output controls, it represents a significant deficiency in the internal control structure.

Conversion of information to machine-readable form is to be performed in the EDP Department.

For control purposes, system development should be organizationally segregated from the
computer operations function.

The major reasons for maintaining an audit trail for a computer system are:
 Deterrent to irregularities
 Monitoring purposes
 Query answering

In an automated payroll system, when the hourly rate used in one department is higher than the
approved rate per hour for that department, the control that would be most effective in
preventing such error is:
 A limit test that compares the pay rates per department with the maximum rate for all
employees.

The following errors would be detected by batch controls:

 A fictitious employee as added to the processing of the weekly time cards by the
computer operator
 An employee who worked only 5 hours in the week was paid for 50 hours.
 The time card for one employee was not processed because it was lost in transit
between the payroll department and the data entry function.

The computer operator would prevent errors by the use of a header label in conjunction with
magnetic tape.
 11

When an accounting system of a company, the amounts of cash disbursements entered into an
EDP terminal are transmitted to the computer that immediately transmits the amounts back to
the terminal for display on the terminal screen. This display enables the operator to verify the
amount was entered accurately

When EDP programs or files can be accessed from terminals, users should be required to enter
a personal identification code.

The possibility of erasing a large amount of information stored on magnetic tape most likely
would be reduced by the use of File protection ring.

A control that would assure that an entity can reconstruct its financial records is to backup
diskettes or tapes of files are stored away from originals.

When a company uses a batch processing method to process its sales transactions and data on
sales transaction tape are electronically sorted by customer number and are subject to
programmed edit checks in preparing its invoices, sales journals, and updated customer
account balances, one of the direct outputs of the creation of this tape most likely would be a
report showing exceptions and control totals.

Using microcomputers in auditing may affect the methods used to review the work of staff
assistants because the working paper documentation may not contain readily observable details
of calculations.

When an auditor anticipates assessing control risk at a low level in a computerized environment.
the auditor initially focus on general control procedures.

After the preliminary phase of the review of a client’s EDP controls, an auditor may decide not to
perform tests of controls (compliance tests) related to the control procedures within the EDP
portion of the client’s internal control structure. The following would be the valid reasons for
choosing to omit such tests:
 The controls duplicate operative controls existing elsewhere in the structure.
 There appear to be major weaknesses that would preclude reliance on the stated
procedure.
 The time and costs of testing exceed the time and costs in substantive testing if the tests
of controls show the controls to be operative.

A client electronic data processing (EDP) systems generally can be audited without examining
or directly testing the EDP computer programs when a system performs relatively
uncomplicated processes and produces detailed output.

Computer systems are typically supported by a variety of utility software packages that are
important to an auditor because they may enable unauthorized changes to data files if not
properly controlled.

To obtain evidence that online access controls are properly functioning, an auditor most likely
would enter invalid identification numbers or passwords to ascertain whether the system rejects
them.
 12

A disadvantage for an entity that keeps microcomputer-prepared data files rather than manually
prepared files is that it is usually easier for unauthorized persons to access and alter the files.

An auditor would like to use computer software to:

 Access client data files
 Prepare spreadsheets
 Construct parallel simulations

A primary advantage of using generalized audit software packages to audit the financial
statements of a client that uses an EDP system is that the auditor may access information
stored on computer files while having a limited understanding of the client’s hardware and
software features.

Auditors often make use of computer programs that perform routine processing functions such
as sorting and merging. These programs are made available by electronic data processing
companies and others and are specifically referred to as utility programs.

A company has numerous customers and customer file is kept on disk storage, each customer
file contains name, address, credit limit, and account balance. The auditor wishes to test this file
to determine whether the credit limits are being exceeded. The best procedure for the auditor to
follow would be develop a program to compare credit limits with account balances and print out
the details of any account with a balance exceeding its credit limit.

The use of generalized audit software package is a major aid in retrieving information from
computerized files.

An auditor used test data to verify the existence of controls in a certain computer program. Even
though the program performed well on the test, the auditor may still have a concern that the
program tested is the same one used in the regular production runs.

An auditor most likely would introduce test data into a computerized payroll system to test
internal controls related to the discovery of invalid employee I.D. numbers.

When an auditor tests a computerized accounting system, test data should be processed by
the client’s computer programs under the auditor’s control.

The test data approach when testing a computerized accounting system includes:
 The test need consist of only those valid and invalid conditions which interest the auditor
 Only one transaction of each type need be tested.
 Test data are processed by the client’s computer programs under the auditor’s control.

The errors that an auditor might include in the test data when auditing a client’s EDP system
include:
.
 Authorized code.
 Differences in description of units of measure.
 Illogical entries in fields whose logic is tested by programmed consistency checks.

An auditor who is testing EDP controls in a payroll system would most likely use test data that
contain conditions such as
 13

 Deductions not authorized by employees.

 Overtime not approved by supervisors.
 Payroll checks with unauthorized signatures.

Auditing by testing the input and output of an EDP system instead of the computer program
itself will not detect program errors which do not show up in the output sampled.
.
Integrated test facility is a computer-assisted auditing techniques allows fictitious and real
transactions to be processed together without client operating personnel being aware of the
testing process.

Parallel simulation is a method of testing application controls that utilizes a generalized audit
software package prepared by the auditors.

Misstatements in a batch computer system caused by incorrect programs or data may not be
detected immediately because there are time delays in processing transactions in a batch
system.

The characteristics of a batch processed computer system include:

 The collection of like transactions which are sorted and processed sequentially against a
master file.
 Keypunching of transactions, followed by machine processing.
 The production of numerous printouts.

Where disk files are used, the grandfather-father-son updating backup concept is relatively
difficult to implement because the process of updating old records is destructive.

An auditor would likely be concerned with access controls in a distributed data processing
system.

An example of hash total for a payroll EDP application includes the control total of each of
department numbers.

Validity check is a computer test made to ascertain whether a given characteristic belongs to
the group.

A control feature in an electronic data processing system requires the central processing unit
(CPU) to send signals to the printer to activate the print mechanism for each character. The
print mechanism, just prior to printing, sends a signal back to the CPU verifying that the proper
print position has been activated. This type of hardware control is referred to as echo check.

An example of a check digit includes an algebraically determined number produced by the other
digits of the employee number.

In a computerized system, procedure or problem-oriented language is converted to machine

language through a compiler.
 14

A customer erroneously ordered Item No. 86321 rather than item No. 83621. When this order is
processed, the vendor’s EDP department would identify the error with a control called self-
checking digit.

The computer process whereby data processing is performed concurrently with a particular
activity and the results are available soon enough to influence the course of action being taken
or the decision being made is called on-line, real time system.

Internal control is ineffective when computer department personnel originate changes in master
file.

Test data, integrated test data and parallel simulation each require an auditor to prepare data
and computer programs. CPAs who lack either the technical expertise or time to prepare
programs should request from the manufacturers or EDP consultants for Generalized audit
software

A fundamental control weakness often associated with electronic data processing system is
best described as functions that would normally be separated in a manual system are combined
in the EDP system like the function of programmers and operators.

When using a generalized audit software package physical count of inventories could not be
performed.

“Auditing through the computer” techniques includes:

 Automated tracking and mapping
 Test-decking
 Integrated test facility

The output of a parallel simulation should always be compared with actual results manually.

Generalized audit software is a computer-assisted audit technique. It is one of the widely used
technique for auditing computer application systems. Generalized audit software is most often
used to independently analyze data files.

From an audit viewpoint, the following are the advantages associated with the widespread use
of microcomputers:
 Their portability.
 Their easily developed programs using spreadsheets which do not have to be
documented.

The following functions would have effects on an audit if not properly

segregated:
 The systems analyst and the programmer functions
 The computer operator and programmer functions.
 The computer operator and the user functions.
.
 15

To obtain evidence that user identification and password control procedures are functioning as
designed, an auditor would attempt to sign on to the system using invalid user identifications
and passwords.