Auditing Theory

AUDITING IN A CIS (IT) ENVIRONMENT

1. A CIS environment exists when a computer of any type or size is involved in
the processing by the entity of financial information of significance to the
audit, whether the computer is operated by the entity or by a third party.
2. The overall objective and scope of an audit does not change in a CIS
environment.
3. A CIS environment may affect:
a. The procedures followed in obtaining a sufficient understanding of the
accounting and internal control system.
b. The consideration of the inherent and control risk.
c. The design and performance of tests of controls and substantive
procedures.
4. The auditor should have sufficient knowledge of the CIS to plan, direct and
review the work performed.
5. If specialized skills are needed, the auditor would seek the assistance of a
professional processing such skills, who may be either on the auditors staff
or an outside professional.
6. If planning the portions of the audit which may be affected by the clients CIS
environment, the auditor should obtain an understanding of the significance
and complexity of the CIS activities and the availability of data for use in the
audit.
7. When the CIS are significant, the auditor should also obtain an understanding
of the CIS environment and whether it may influence the assessment of
inherent and control risks.
8. The auditor should consider the CIS environment in designing audit
procedures to reduce audit risk to an acceptably low level. The auditor can
use either manual audit procedures, computer-assisted audit techniques, or a
combination of both to obtain sufficient evidential matter.
RISKS ASSESSMENTS AND INTERNAL CONTROL:
CIS CHARACTERISTICS AND CONSDERATIONS
Organizational Structure
Characteristics of a CIS organizational structure includes:
a. Concentration of functions and knowledge
Although most systems employing CIS methods will include certain manual
operations, generally the number of persons involved in the processing of
financial information is significantly reduced.
b. Concentration of programs and data

Transactions and master file data are often concentrated, usually in machinereadable form, either in one computer installation located centrally or in a
number installations distributed throughout the entity.
Nature of Processing
The use of computers may result in the design of systems that provide less visible
evidence than those using procedures. In addition, these systems may be accessible
by a larger number of persons.
System characteristics that may result from the nature of CIS processing include:
a. Absence of input documents
Data may be entered directly into the computer system without
supporting documents.
In some on-line (e.g., approval for order entity) may be replaced by
other procedures, such as authorization controls contained in computer
programs (e.g., credit limit approval).
b. Lack of visible audit trail
The transaction trail may be partly in machine- readable form and may exist
only for a limited period of time (e.g., audit logs may be set to overwrite
themselves after a period of time or when the allocated disk space is
consume).
c. Lack of visible output
Certain transactions or results of processing may not be printed, or only
summary data may be printed.
d. Ease of access to data and computer programs
Data and computer programs may be accessed and altered at the computer
or through the use of computer equipment at remote locations. Therefore, in
the absence of appropriate controls, there is an increased potential for
unauthorized access to, and alteration of, data and programs by persons
inside or outside the entity.
Design and Procedural Aspects
The development of CIS will generally result in design and procedural characteristics
that are different from those found in manual systems. These different design and
procedural aspects of CIS include:
a. Consistency of performance
CIS perform functions exactly as programmed and are potentially more
reliable than manual systems, provided that all transaction types and
conditions that could occur are anticipated and incorporated into the system.
On the other hand, a computer program that is not correctly programmed
and tested ma consistently process transactions or other data erroneously.
b. Programmed control procedures

The nature of computer processing allows the design of internal control

procedures in computer programs.
c. Single transaction update of multiple or data base computer files
A single input to the accounting system may automatically update all records
associated with the transaction.
d. Systems generated transactions
Certain transactions may be initiated by the CIS itself without the need for an
input document.
e. Vulnerability of data and program storage media
Large volumes of data and the computer programs used to process such data
may be stored on portable or fixed storage media, such as magnetic disks
and tapes. These media are vulnerable to theft, loss, or intentional or
accidental destruction.
INTERNAL CONTROLS IN A CIS ENVIRONMENT
GENERAL CIS CONTROLS- to establish a framework of overall control over
the CIS activities and to provide a reasonable level of assurance that the
overall objectives of internal control are achieved.
General CIS controls may include:
a. Organization and management controls- designed to define the
strategic direction and establish an organizational framework over CIS
activities, including:
Strategic information technology plan
CIS policies and procedures
Segregation of incompatible functions
Monitoring of CIS activities performed by third party consultants
b. Development and maintenance controls- designed to provide
reasonable assurance that systems are developed or acquired,
implemented and maintained in an authorized and efficient manner. They
also typically are designed to establish control over:
Project initiation, requirements definition, systems design, testing,
data conversion, go-live decision, migration to production
environment, documentation of new or revised systems, and user
training.
Acquisition and implementation of off-the-shelf packages.
Request for changes to the existing systems.
Acquisition, implementation, and maintenance of system software.
c. Delivery and support control- designed to control the delivery of CIS
services and include:
Establishment of service level agreements against which CIS
services are measured.

 Performance and capacity management controls

Event and problem management controls.
Disaster recovery/ contingency planning, training and file backup.
Computer operations controls
Systems security
Physical and environment controls.
d. Monitoring control designed to ensure that CIS controls are working
effectively as planned. These include:
Monitoring of key CIS performance indicators.
Internal/external CIS audits.
CIS APPLICATION CONTROLS- to establish specific control procedures over the
application systems in order to provide reasonable assurance that all transactions
are authorized, recorded, and are processed completely, accurately and on a timely
basis. CIS application controls include:
a. Control over input- designed to provide reasonable assurance that:
Transactions are properly authorized before being processed by the
computer.
Transactions are accurately converted into machine readable form and
recorded in the computer data files.
Transactions are not lost, added, duplicated or improperly changed.
Incorrect transactions are rejected, corrected and if necessary,
resubmitted on a timely basis.
b. Controls over processing and computer data files- designed to provide
reasonable assurance that:
Transactions, including system generated transactions, are properly
processed by the computer.
Transactions are not lost, added duplicated or improperly changed.
Processing errors (i.e., rejected data and incorrect transactions) are
identified and corrected on a timely basis.
c. Controls over output- designed to provide reasonable assurance that:
Results of processing are accurate.
Access to output is restricted to authorized personnel.
Output is provided to appropriate authorized personnel on a timely
basis.
Review of general CIS application controls
CIS application controls which the auditor may wish to test include:
a. Manual controls exercised by the user

b. Controls over system output

c. Programmed control procedures
CIS ENVIRONMENTS- STAND- ALONE PERSONAL COMPUTER
1. A personal computer (PC) can be used in various configurations. These
include:
a. a stand-alone workstations operated by a single user or a number of users
at different times;
b. a workstation which is a part of a Local Area Network (LAN) of PCs; and
c. a workstation connected to a server.
2. In a stand-alone PC environment, it may not be practicable or cost-effective
for management to implement sufficient controls to reduce the risks of
undetected error to a minimum level.
3. After obtaining the understanding of the accounting system and control
environment, the auditor may find it more cost-effective not to make a
further review of general controls or application controls, but to concentrate
audit efforts on substantive procedures.
CIS ENVIRONMENTS- ON LINE COMPUTER SYSTEMS
1. On-line computer systems are computer systems that enable users to access
data and programs directly through terminal devices.
2. On-line systems allow users to directly initiate various functions such as:
a. Entering transactions
d. updating master files
b. Making inquiries
e.
electronic
commerce
activities
c. Requesting reports
3. Types of terminals used in on-line systems:
A. General purpose terminals
1. Basic keyboard and screen
3. PCs
2. Intelligent terminal
B. Special purpose terminals
1. Point-of-sale devices
2. Automated Teller Machines
(ATM)