AUDIT IN A CIS (IT) ENVIRONMENT

A Computerized Information System (CIS) exists when a computer of any type or size is involved in the
processing by the entity of financial information of significance to the audit, whether the computer is operated by
the entity or by a third party.

A. CHARACTERISTICS OF A CIS

 Absence of input documents

 Lack of visible audit trail
 Lack of visible output
 Ease of access to data and computer program

Characteristics of a Cis Organizational Structure

 Concentration of functions the processing the number of persons involved in the processing of financial
information is significantly REDUCED.
 Concentration of programs and data - transaction and master file data are often concentrated, usually in
a machine-readable form

Nature of Processing

 May result in the design of systems that provide less visible evidence than manual systems
 These systems may be accessible by a larger number of persons.

Design and Procedural Aspect

 Consistency of performance
 Programmed Control Procedure
 Single transaction update of multiple or database computer file
 System-generated transactions
 Vulnerability of Data and program storage media.

Effect on Audit Objective and Scope

 Overall Objective and scope do not change

 Procedures followed in the auditor's study and evaluation of internal controls and the nature, timing and
extent of other audit procedures may be affected.

Skills and Competence Needed

 The auditor should consider whether specialized skills are needed. If so, ask the assistance of a
computer professional who may be a staff or an outside professional.
 If use of such a professional is planned, auditor should have sufficient computer-related knowledge to:
 Communicate the objectives of the other professional work;
 Evaluate whether specified procedures will meet the auditor's objectives; and
 Evaluate results of the procedures applied.
 The auditor can NEVER DELEGATE his responsibility in forming important audit conclusions or
expressing an opinion on the financial statements.

B. PLANNING THE AUDIT WHERE CIS IS PRESENT

Obtain Information About

 Computer hardware and software

 Extent to which computer is used in significant accounting applications and nature of processing and
data retention processes
 Complexity of entity's computer operations
 Organizational structure of computer processing activities
 Planned implementation of new applications or revisions to existing applications
  Availability of data that may exist only for a short period of time, or only in computer readable form
 Use of computer-assisted audit techniques (CAATs)

C. TYPES OF COMPUTERS

Super computers - extremely powerful, high-speed computers used for extremely high volume and/or complex
processing needs.

Mainframe computers - large, powerful, high-speed computers that is less powerful than supercomputers.

Servers - high-powered microcomputers that "serve” applications and data to clients that are connected via a

network and acts as a central repository for organizational data.

Virtual Machines - servers ate simultane operating systems can coexist and operate simultaneously on the
same machine

Microcomputers or Personal Computer - designed to be used by one person at a time, typically for word
processing, e-mail, spreadsheets and others.

Personal Data Assistants (e.g., Tablets or smart phones) - typically smaller, handheld wireless devices that
depend on Wi-Fi and/or cellular technology for communication.

Hardware

Central Processing Unit (CPU) - principal hardware component of a computer which contains the
arithmetic/logic unit, primary memory and a control unit.

a. Arithmetic/logic unit - performs mathematical operation and logical comparisons

b. Primary Memory (storage) - active data and program steps that are being processed by the CPU are
stored.
Random Access Memory (RAM) - stores the application programs and data at execution time and may
be modified by the user.
Read-only Memory (ROM) - is a memory that cannot be changed; contains the system's boot,
input/output system (BIOS) and other more.
c. Control unit - interprets program instructions

Types Of Online Computer Systems:

Online Real Time Processing - transactions are processed immediately, and master file is updated immediately.
Errors in this kind of processing are detected as soon as the data are entered.

Online Batch Processing - individual transactions are entered at a terminal device, which is later processed
together. Errors in this kind of processing are detected in a later part.

Online Memo Update - mixture of batch and real-time processing where individual transactions update a memo
file which is subsequently updated to the master file by batch.

Online Inquiry - restricts users at terminal devices to making inquiries of master file

Online Downloading/Uploading Processing

Network Environments - communication system that enables computer users to share computer equipment,
application software, data and voice and video transmissions.

a. File server - a computer with an operating system that allows multiple users in a network to access
software applications and data files.
b. Basic types of Networks:
Local Area Network
Wide Area Network
National Area Network
Internet
D. CLASSIFICATION OF CONTROLS

As to Objectives

• Preventive Controls - prevent the occurrence of errors

• Detective Controls - detect the existence of errors or wrongdoing after they have occurred

• Corrective Controls - aid in the correction of erroneous data entry or application, or in the correction of full
application run

As to Scope:

• General Controls - Typically related to the entire information system and apply to all programs used by the
system.

• Application Controls - relate to controls over a particular computer task or application

GENERAL CONTROLS

1. Organization and operations control - pertains to the plan of organization and operations of CIS activity

a. Operating Controls - concerned with efficient and effective CIS operations and proper procedures for
new computer applications, and to control changes made to existing applications.
b. Organizational controls - concerned with the proper segregation of duties and responsibilities within
the CIS environment.
c. Data processing should be independent of those that provide input data to, or use information generated
by CIS
Those who perform computer functions should not:
- Authorize transactions
- Have custody or control of assets
- Correct errors in transactions
- Be able to change the controls or initiate the preparation of data

2. System development and documentation controls - intended to monitor the design of, and documentation
for new computer applications, and to control changes made to existing applications.

a. System design - include representatives of user departments and, as appropriate, the accounting
department and internal auditors.
b. Written specifications - each system should have written specifications that are reviewed and
approved by management and the user department.
c. System testing - should be a cooperative effort of users and CIS personnel
d. Final Approval - the CIS manager, the user personnel and the appropriate level of management should
give final approval to a new system before it is placed in normal operation.
e. Program changes - should be approved before implementation to determine whether they have been
authorized, tested and documented.

3. Documentation Controls - provides basis for reviewing the system, training new personnel and maintaining
and revising existing systems and programs.

a. Systems documentation - described the information flow, input, output and file structure, which are
useful to systems analysts and programmers.
b. Program documentation - describes detailed program data that systems analysts and programmers
will need to correct or revise the programs.
c. Operations documentation provides instructions to the computer operator for running the program.
d. User documentation - describes the data that users will submit or enter, the form of the data, any
control totals, and the procedures to follow when the system rejects incorrect data submitted for
processing.
4. Access controls - designed to ensure that only persons who should have access to information or programs
are allowed to examine or change them.

a. Segregation controls
b. Physical access to computer facility
Limited physical access
Visitor entry log
c. Hardware and software access controls
Access control software (user identification) most commonly used control is a combination of a unique
identification code and a confidential password.
Calle back - specialized form of user identification in which the user dials the system identifies
him/herself, and is disconnected from the system.
Encryption - data is encoded when stored in computer files and/or before transmission to or from remote
locations. This coding protects data since to use the data unauthorized users must not only obtain
access, but must also translate the coded form of the data.

APPLICATION CONTROLS

1. Input controls - designed to provide reasonable assurance that data received for processing by the computer
department have been properly authorized and that data have not been lost, suppressed, added, duplicated, or
otherwise changed improperly.

a. Batch controls - group input transactions to provide control totals.

b. Financial total - sum of the amounts in input documents
c. Hash total - its total is meaningless and is 201 an determined for control purposes only.
d. Record count - count of the number of transactions processed.
e. Computer editing - if a particular record does not meet the test, it would not be processed
f. Limit/Reasonableness teur input transaction records is checked to be sure it is not greater or smaller
than a pre-specified amount, or that it is within a pre-specified range of acceptable values.
g. Valid field and/or character test - particular field is examined to be sure it is of the proper size and
composition.
h. Valid number or code test - verifies that a particular number or code is one of those that is recognized by
the system.
i. Sequence check - input records should be in some particular sequence.
j. Missing data test - verifies that all of the data fields actually contain data.
k. Valid transaction test - verify that a particular transaction is an appropriate type for a particular file.
l. Valid combination of fields - checks to be sure a 891 certain combination of fields is reasonable.
m. Check digit - an extra digit added to an identification number to detect certain types of data transmission
errors.
n. Valid sign test - for proper sign
o. Preprinted form - information is pre-assigned a place and a format on that input form.

2. Processing Controls - designed to provide reasonable assurance that data processing has been performed
as intended for the particular application.

3. Output Controls - designed to assure that the results of processing are accurate and that only authorized
personnel receive or have access to the input

- Control totals comparison

- Output distribution

- File reconstruction

E. TESTING APPLICATION CONTROLS

Audit Approaches:

1. Around the computer or Black Box approach

Auditor ignores the computer processing function and only tests input to output. It is used in relatively simple
systems.

2. With the computer - auditor uses the computer as an audit tool.

3. Through the computer or White Box approach

Auditor enters the clients' system and examines directly the computer, its system and application software.

F. COMPUTER ASSISTED AUDIT TECHNIQUES USED IN TESTS OF CONTROL

1. Program Analysis - techniques that allow the auditor to gain understanding of the clients' program.

a. Code review - involves actual analysis of the logic of the program's processing routines
b. Comparison programs - programs that allow the auditor to compare computerized files
c. Flowcharting software - used to produce a flowchart of a program's logic and may be used both in
mainframe and microcomputer environments
d. Program tracing and mapping
Program tracing - techniques in which instruction executed is listed along with control information
affecting that instruction
Program mapping - identifies sections of code, which may be a potential source of abuse.
e. Snapshot - takes a picture of the status of program execution, immediate results, or transaction data at
specified processing points in the program processing.

2. Program Testing - use of auditor-controlled actual or simulated data.

a. Test Data/Deck Method - auditor prepares a series of dummy transactions, some of which are valid and
some of which contain errors that should be detected by the controls he wants to test.
b. Integrated Test Facility (ITF) or Mini-company approach - auditor creates a fictitious entity within the
client's regular data processing.
c. Parallel Simulation - auditor uses live client data that is reprocessed with auditor-controlled program.
This uses a Generalized Audit Software (GAS) prepared by the auditor designed to perform the same
process and produce the same results as the client's program. The client's input is compared with the
auditor's output.
d. Continuous Audit Technique - test the audit computer controls throughout a period.

G. FACTORS TO CONSIDER IN USING CAATS

- Degree of technical competence in CIS

- Availability of CAT and appropriate computer facilities
- Impracticability of manual tests
- Effectiveness and efficiency
- Timing of test