Audit under

Computerized
Information System
(CIS) Environment
Introduction

2
Scope of Audit in
CIS Environment

3
❶High speed
❷Low clerical error
❸Concentration of duties
❹Shifting of internal control base
Application systems development control
Systems software control
❺Disappearance of manual reasonableness
❻Impact of poor system
❼Exception reporting
❽Man-machine interface / human-computer
interaction

4
Impact of Changes
on Business
Processes
(for shifting from Manual to
Electronic Medium)

5
The effect of changes on accounting process may be stated as under:

A. Primary Changes B. Recent Changes

1. Process of recording Following are a few instance of the recent changes which they may need to be
transactions addressed in discharging their responsibilities in such environment:
2. From accounting • Mainframes are substituted by mini/micro users.
records • There is a shift from proprietary operating system to more universal ones like UNIX,
LINUX, Programming in ‘C’, etc.
3. Use of loose-leaf
stationeries • Relational Data Base Management (RDBMS) are increasingly being used.
4. Use of accounting • The methodology adopted for systems development is becoming crucial and CASE
code (Computer Aided Software Engineering) tools are being used by many organizations.
• End user computing is on the increase resulting in decentralized data processing.
5. Absence of link
between transactions • The need for data communication and networking is increasing.
• Common business documents are getting replaced by paperless electronic data
interface (EDI)
• Conventional data entry giving way to scanner, digitized image processes, voice 6
recognition system etc.
The Impact of all such change on auditing
may be summarized as:
• Wide-spread end-user computing may result in
unintentional errors creeping into systems owing to
inept handling. Also coordinated program modification
may not be possible.
• Improper use of decision support system can have
serious repercussion. Also their underlying assumption
must be clearly documented.
• Usage of sophisticated audit software would be a
necessity.
• Auditors non-participation at System Development Life
Cycle (SDLC) pose considerable problem in
understanding the operational controls.
• Data communication and net working would introduce
new audit risk.
• The move toward paperless EDI would eliminate much
of the traditional audit trail radically changing the nature
of audit trails.

7
Audit Approach
in CIS
Environment

8
The Black Box Approach The Auditor concentrates on input and output and ignores the
specifics of how computer process the data or transactions.
If input matches the output, the auditor assumes that the
processing of transaction/data must have been correct.
9
The White Box Approach The processes and controls surrounding the subject are not
only subject to audit but also the processing controls operating
over this process are investigated.
In order to help the auditor to gain access to these processes
computer Audit software may be used. 10
 Types of
Computer
Systems

11
System configuration Processing systems
 Large system computers  Batch processing

 Stand alone personal computers  On Line Processing System

 Network computing system  Interactive Processing

 Electronic data interchange (EDI)  On-line real time processing

 Time Sharing

 Service Bureau

 Integrated File System

12
 System configuration Processing systems
 Large system computers  Batch processing

 Stand alone personal computers  On Line Processing System

 Network computing system  Interactive Processing

 Electronic data interchange (EDI)  On-line real time processing

a group of interconnected
 Time Sharing
system sharing services and
interacting by a shared
communication links.  Service Bureau

Hardware Resources: Software Resources:  Integrated File System

 Client Server  Local Area Network
 File Server  Wide Area Network
 Data base Server  Distributed data Processing
 Message Server  Electronic Data Interchange (EDI) 13
 Print Server
System configuration
 Large system computers
 Stand alone personal computers
 Network computing system
 Electronic data interchange (EDI)
Processing systems Occurrence of Transaction
 Batch processing Recorded in Transaction File
Updation of Master File
Generation of Output
 On Line Processing System
 Interactive Processing
 On-line real time processing
 Time Sharing
 Service Bureau
 Integrated File System
14
System configuration Processing systems
 Large system computers  Batch processing

 Stand alone personal computers  On Line Processing System

 Network computing system  Interactive Processing “Transaction driven”

 Electronic data interchange (EDI)  On-line real time processing

 Time Sharing

 Service Bureau

 Integrated File System

15
System configuration Processing systems
 Large system computers  Batch processing

 Stand alone personal computers  On Line Processing System

 Network computing system  Interactive Processing

 Electronic data interchange (EDI)  On-line real time processing

A. Decision Support System  Time Sharing

 The Users
 Data bases
 Planning Language
 Service Bureau
 Model Base
B. Expert System  Integrated File System
 Knowledge Base
 Inference Engine
 Use interface
 Explanation facility
 Knowledge acquisition Facility 16
System configuration Processing systems
 Large system computers  Batch processing

 Stand alone personal computers  On Line Processing System

 Network computing system  Interactive Processing

 Electronic data interchange (EDI)  On-line real time processing

 Time Sharing

 Service Bureau
sequentially
 Integrated File System randomly
indexed
Indexed sequential

17
 Effect of
Computers on
Internal Controls

18
❶Separation of Duties
❷Delegation of Authority and Responsibility
❸Competent and Trustworthy Personnel
❹System of Authorization
General
Specific
❺Adequate Documents and Records
❻Physical Control Over Assets and Records
❼Adequate Management Supervision
❽Independent Checks On Performance
❾Comparing Recorded Accountability with
Assets
19
 - an essential pre-requisite to
Internal efficient and effective management
of any organization.
Control - a CIS system depends on the same
principal as that of manual system.

20
The basic components that can be identified in a CIS environment
are:

Hardware

Software

People

Transmission Media

21
Major classes of control that the auditor must evaluate are:

❶Authenticity Controls (password control, personal identification numbers, digital signatures)

❷Accuracy Control (program validation check that a numeric field contains only numeric, overflow checks, control totals, has totals, etc.)
❸Completeness Control (program validation check, sequence check, etc.)
❹Redundancy Control (batch cancellation stamp, circulating error files, etc.)
❺Privacy Control (cryptograph, data compaction, inference control, etc.)
❻Audit Trail Controls
❼Existence Controls (database dump and logs for recovery purposes duplicate hardware, preventive maintenance, check point and
restart control)

❽Asset safeguarding Controls (physical barriers, libraries, etc.)

❾Effectiveness Controls (monitoring of user satisfaction, post audits, periodic cost benefit analysis, etc.)
❿Efficiency Controls
22
Consideration of
Control
Attributes by the
Auditors

23
Consideration of Control Attributes
by the Auditors
In evaluating the effects of a control, the auditor needs to
assess the reliability by considering the various attributes
of a control. Some of the attributes are:

❶Whether the control is in place and is

functioning as desired.

❷Generality vs. specificity of the control with

respect to the various types of errors and
irregularities that might occur.

❸Whether the control acts to prevent, detect or

correct errors.

❹The number of components used to execute

the control.
24
Internal Control
Requirement
under CIS
Environment

25
The requirement of internal control under CIS environment may cover
the following aspects:

❶Organization And Management Control

❷Application System Development and
Maintenance Control
❸Computer Operation Controls
❹System Software Control
❺Data Entry And Program Control
❻Control Over Input
❼Control Over Processing And Computer Data
Files
❽Control Over Output
❾Other Safeguards
26
The requirement of internal control under CIS environment may cover
the following aspects:
a) Policies and procedures
relating to control
❶Organization And Management Control functions
❷Application System Development and b) Appropriate segregation
of incompatible
Maintenance Control functions
❸Computer Operation Controls
❹System Software Control
❺Data Entry And Program Control
❻Control Over Input
❼Control Over Processing And Computer Data
Files
❽Control Over Output
❾Other Safeguards
27
The requirement of internal control under CIS environment may cover
the following aspects:

❶Organization And Management Control

❷Application System Development and a) Testing, conversion, implementation and
documentation of new revised system
Maintenance Control b) Changes made to application system
❸Computer Operation Controls c) Access to system documentation
❹System Software Control d) Acquisition of application system from third
parties
❺Data Entry And Program Control
❻Control Over Input
❼Control Over Processing And Computer Data
Files
❽Control Over Output
❾Other Safeguards
28
The requirement of internal control under CIS environment may cover
the following aspects:

❶Organization And Management Control

❷Application System Development and
a) The systems are used for authorized purposes only
Maintenance Control b) Access to computer operation is restricted to
❸Computer Operation Controls authorized personnel
❹System Software Control c) Only authorized programs are to be used
d) Processing errors are detected and corrected
❺Data Entry And Program Control
❻Control Over Input
❼Control Over Processing And Computer Data
Files
❽Control Over Output
❾Other Safeguards
29
The requirement of internal control under CIS environment may cover
the following aspects:

❶Organization And Management Control

❷Application System Development and
Maintenance Control
❸Computer Operation Controls a) Authorization, approval, testing, implementation
and documentation of new system software and
❹System Software Control system software modification
❺Data Entry And Program Control b) Restriction of access to system software and
documentation to authorized personnel
❻Control Over Input
❼Control Over Processing And Computer Data
Files
❽Control Over Output
❾Other Safeguards
30
The requirement of internal control under CIS environment may cover
the following aspects:

❶Organization And Management Control

❷Application System Development and
Maintenance Control
❸Computer Operation Controls
❹System Software Control a) An authorization structure is established over
❺Data Entry And Program Control transaction being entered into the system
b) Access to data and program is restricted to
❻Control Over Input authorized personnel
❼Control Over Processing And Computer Data
Files
❽Control Over Output
❾Other Safeguards
31
The requirement of internal control under CIS environment may cover
the following aspects:

❶Organization And Management Control

❷Application System Development and
Maintenance Control
❸Computer Operation Controls
a) Transactions are properly authorized before being
❹System Software Control processed by the computer
❺Data Entry And Program Control b) Transactions are accurately converted into
machine readable from and recorded in the
❻Control Over Input computer data files
❼Control Over Processing And Computer Data are not lost, added, duplicated or
c) Transaction
improperly changed
Files d) Incorrect transactions are rejected, corrected and
❽Control Over Output if necessary, resubmitted on a timely basis
❾Other Safeguards
32
The requirement of internal control under CIS environment may cover
the following aspects:

❶Organization And Management Control

❷Application System Development and
Maintenance Control
❸Computer Operation Controls
❹System Software Control
❺Data Entry And Program Control a) Transactions including system generated
❻Control Over Input transactions are properly processed by the
computer
❼Control Over Processing And Computer Data b) Transaction are not lost, added duplicated
Files or improperly changed
❽Control Over Output c) Processing errors are identified and
corrected on a timely basis
❾Other Safeguards
33
The requirement of internal control under CIS environment may cover
the following aspects:

❶Organization And Management Control

❷Application System Development and
Maintenance Control
❸Computer Operation Controls
❹System Software Control
❺Data Entry And Program Control
❻Control Over Input
❼Control Over Processing And Computer Data
Files a) Results of processing are accurate
❽Control Over Output b) Access to output is restricted to authorized personnel
c) Output is provided to appropriate authorized
❾Other Safeguards personnel on a timely basis
34
The requirement of internal control under CIS environment may cover
the following aspects:

❶Organization And Management Control

❷Application System Development and
Maintenance Control
❸Computer Operation Controls
❹System Software Control
❺Data Entry And Program Control
❻Control Over Input
❼Control Over Processing And Computer Data
Files
❽Control Over Output a) Offsite back-up of data and program
b) Recovery procedures for use in the event of theft,
❾Other Safeguards loss or intentional or accidental destruction
c) Provision of offsite processing in the event of disaster
35
 Approach to
Auditing in a CIS
Environment

36
The approach to auditing in a CIS environment provides for the
following:

1.Skill and Competence

2.Planning
3.Risk
4.Risk Assessment
5.Documentation

37
The approach to auditing in a CIS environment provides for the
following:
• PLAN
• DIRECT
1.Skill and Competence •
•
SUPERVISE
CONTROL
•
2.Planning REVIEW

3.Risk
4.Risk Assessment
5.Documentation

38
The approach to auditing in a CIS environment provides for the
following:

1.Skill and Competence

a) The CIS infrastructure and application software used by the entity.

2.Planning b) The significance and complexity of computerized processing in each significant

accounting application.
c) Determination of the organizational structure of the client
3.Risk d) The auditor needs to determine the extent of availability of data by reference
to source documents, computer files and other evidential manners.

4.Risk Assessment
5.Documentation

39
The approach to auditing in a CIS environment provides for the
following:

1.Skill and Competence

2.Planning a) Lack of transaction trails
b) Uniform processing of transaction
3.Risk c) Lack of segregation of functions
d) Potential for errors and irregularities
4.Risk Assessment
e) Initiation or Execution of Transactions
f) Dependence of Other Controls over Computer
Processing
g) Increased management Supervision
h) Use of Computer-Assisted Audit Techniques

5.Documentation

40
The approach to auditing in a CIS environment provides for the
following:

1.Skill and Competence

2.Planning
3.Risk The auditor in accordance with PSA 315 “Identifying and
Assessing the Risks of Material Misstatement through
4.Risk Assessment Understanding the Entity and its Environment” should make
an assessment of inherent and control risk for material
financial statement assertions.
5.Documentation
Risk may result from deficiencies in: Risk may also increase the potential for errors or
a) Program development and maintenance fraudulent activities in:
b) System software support a) Specific applications
c) Operations b) Specific data base or master files
d) Control over access to specialized utility programs c) Specific processing activities
41
The approach to auditing in a CIS environment provides for the
following:

1.Skill and Competence

2.Planning
3.Risk
4.Risk Assessment
The Auditor should document the audit plan, the nature,
5.Documentation timing and extent of audit procedures performed and the
conclusions drawn from the evidence obtained.

42
 Review of
Checks and
Controls in a CIS
Environment

43
Review Process

❶Organization Structure / Control

❷Documentation Control
❸Access Control
❹Input Controls
❺Processing Controls
❻Recording Control
❼Storage Control
❽Output Control
44
Review Process

❶Organization Structure / Control

❷Documentation Control
❸Access Control
❹Input Controls
❺Processing Controls
❻Recording Control
❼Storage Control
❽Output Control
a) Data Administrator
b) Database Administrator
c) System Analyst
d) System Programmers
e) Application Programmer
f) Operation Specialist
g) Librarian
45
Review Process

❶Organization Structure / Control

❷Documentation Control
❸Access Control a) A system flowchart
❹Input Controls b) A program flowchart
c) Program change
❺Processing Controls d) Operator instructions
e) Program description
❻Recording Control
❼Storage Control
❽Output Control
46
Review Process

❶Organization Structure / Control

❷Documentation Control
❸Access Control
a) Segregation Controls
❹Input Controls b) Limited physical access to the computer facility
c) Visitor entry logs
❺Processing Controls d) Hardware and software access controls
e) Call back
❻Recording Control f) Encryption
g) Computer application controls
❼Storage Control
❽Output Control
47
Review Process

❶Organization Structure / Control

❷Documentation Control • Batch Control Totals
❸Access Control •
•
Batch Hash Totals
Batch Record Totals
❹Input Controls a) Pre-printed Form
b) Check Digit
• Sequence Checks

❺Processing Controls c)d) Completeness Totals

Reasonableness Checks
❻Recording Control e) Field checks
f) Record Checks
•
•
Missing data/blank
Alphabetic/Numeric
❼Storage Control g) File checks •
•
Range
Master Reference
❽Output Control • Reasonableness
•
•
Size
Format Mask
• Valid-Sign-Numeric
• Size
48
Review Process

❶Organization Structure / Control

❷Documentation Control
❸Access Control
❹Input Controls i. Overflow
ii. Range
❺Processing Controls iii. Sign test
iv. Cross footing
❻Recording Control v. Run-to-Run Control

❼Storage Control
❽Output Control
49
Review Process

❶Organization Structure / Control

❷Documentation Control
❸Access Control
❹Input Controls
❺Processing Controls
a) Error log
❻Recording Control b) Transaction Log

❼Storage Control
❽Output Control
50
Review Process

❶Organization Structure / Control

❷Documentation Control
❸Access Control
❹Input Controls
❺Processing Controls
❻Recording Control a)b) Physical Protection Against Erasure
External Label
c) Magnetic Labels
❼Storage Control d) File Back-up Routines
e) Database Back-up Routines
❽Output Control f) Cryptographic Storage

51
Review Process

❶Organization Structure / Control

❷Documentation Control
❸Access Control
❹Input Controls
❺Processing Controls
❻Recording Control
❼Storage Control
❽Output Control
52
 Computer
Assisted Audit
Techniques
(CAATS)

53
Uses of CAATs

test of details of transactions and balances

analytical procedures
test of general controls
sampling programs to extract data for audit testing
test of application controls
reperforming calculations performed by the entity
accounting systems

54
Audit Software

Packaged Programs
Purpose Written Programs
Utility Programs
System Management Programs
IT Knowledge, Expertise And Experience of the Audit Team

Availability of CAATs and Suitable Computer Facilities

Impracticability of Manual Tests 55

Effectiveness and Efficiency

Analyzing and selecting samples from a large volume of

transactions
Applying analytical procedures
Performing substantive procedures

*Matters relating to efficiency that an auditor might consider include:

 The time taken to plan, design, execute and evaluate CAAT
 Technical review and assistance hours
 Designing ang printing of forms
 Availability of computer resources

Time Constraints
56
Using CAATs
The major steps to be undertaken by the auditor in the application of CAAT are to:
a) Set the objective
h) Identify the personnel who may participate
b) Determine the content and accessibility of
in the design and application of CAAT
the entity’s files
i) Refine the estimates of costs and benefits
c) Identify the specific files or databases to be
j) Ensure that the use of CAAT is properly controlled
examined
k) Arrange the administrative activities, including the necessary
d) Understand the relationship between the
skills and computer facilities
data tables where a database is to be
l) Reconcile data to be used for CAAT with the accounting and
examined
other records
e) Define the specific tests or procedures and
m) Execute CAAT application
related transactions and balances affected
n) Evaluate the results
f) Define the output requirements
o) Document CAATs to be used including objectives, high level
g) Arrange with the user and IT departments, if
flowcharts and run instructions
appropriate, for copies of the relevant files
p) Assess the effect of changes to the programs/system on the
or database tables to be made at the
use of CAAT
appropriate cut off date and time

Testing CAATs 57
Controlling CAAT Application

The Auditor considers the need to:

a) Approve specifications and conduct review of the work to be performed by CAAT;
b) Review the entity’s general controls that may contribute to the integrity of CAAT
c) Ensure appropriate integration of the output by the auditor into the audit process.

Procedures carried out by the auditor to control CAAT’s applications may include:
(a) Participating in the design and testing of CAAT
(b)Checking, if applicable, the coding of the program
(c) Asking the entity’s staff to review the operating system instructions
(d)Running the audit software on small test files before running it on the main data files.
(e) Checking whether the correct files were used
(f) Obtaining evidence that the audit software functioned as planned
(g) Establishing appropriate security measures to safeguard the integrity and confidentiality of the data.

58
Thank You
Jocson, Julie Mark
Suan, Charla Mae
Tendencia, Roselyn
Vista, Shawnee Rica