AUDITING IN A

COMPUTERIZED
INFORMATION
SYSTEM (CIS)
ENVIRONMENT
 AMANDO BOBBY F. ISIP
Auditing in CIS is otherwise known in the corporate world
as I.T. Audit.

• An I.T. Audit focuses on the computer-based aspects of an

organization’s information system.
• This includes assessing the proper implementation, operation, and
control of computer resources.

The I.T. Auditor is not participating in systems design, but rather provides
inputs in the form of advise to further improve its implementation, and
such recommendation is more on control.
 AMANDO BOBBY F. ISIP

• Organization’s information system refers to the whole IT structure of

an entity that operates on centralized and delegated authority.
• Assessing the proper implementation is the IT audit itself wherein the
auditor evaluates the different control aspects of all automated
systems being adapted within the whole organization.
• Control of computer resources are the internal manual controls in
place to safeguard all hardware.
 AMANDO BOBBY F. ISIP
PHASES OF √ √ √
I.T. AUDIT AUDIT PLANNING TEST OF CONTROLS SUBSTANTIVE TESTING
PHASE PHASE PHASE

REVIEW
√ PERFORM TESTS OF PERFORM √
ORGANIZATION’S
START CONTROLS √ SUBSTANTIVE TESTS
POLICIES, PRACTICES
& STRUCTURE

REVIEW GENERAL EVALUATE TEST

CONTROLS √ EVALUATE TEST RESULTS & ISSUE AUDIT
RESULTS √ REPORTS √

REVIEW APPLICATION DETERMINE DEGREE OF

CONTROLS √ RELIANCE ON AUDITOR’S REPORT
CONTROLS
√ √
 AMANDO BOBBY F. ISIP
AUDIT PLANNING is the most crucial stage in audit process.
As the saying goes, “if you fail to plan, you plan to fail.”

• Audit planning includes identification of risk areas of the company’s

I.T. structure. Example of which is the determination of system
administrators’ competence and integrity.

• It also involves identification of well-designed structure that would

strengthen the company’s automated system control.

• Assignment of well-experienced auditors in the area of I.T. audit is a

crucial factor in audit planning.
 AMANDO BOBBY F. ISIP
Audit Planning Phase – Review of Organization’s Policies,
Practices and Structure

• There maybe some loopholes in the company’s IT policies, example of

which is the absence of review of the list of resigned employees which
still has access to the company’s application systems.

• Practices refers to the unwritten policies being adapted within the

organization, example of which is allowing employees to leave their
workplace without signing out in the system.
 AMANDO BOBBY F. ISIP
Audit Planning Phase – Review of General Controls and
Application Controls

• Example of general controls in the IT structure is the segregation of

duties wherein an employee’s access should be limited to his duties
and functions.

• Application controls refers to the capability of the system to accept or

reject transactions. Example is, when the transaction being encoded
by the cashier is beyond her authority, the system will prompt an
override approval.
 AMANDO BOBBY F. ISIP
TEST OF CONTROLS represents procedures and evaluation
that would determine the strength of both manual and
automated controls of application systems in place within
the organization.

• This may include review of written policies and procedures concerning

access levels of users.

• Hands-on procedures in the initial operations of an application system

would be an essential part of the tests.
 AMANDO BOBBY F. ISIP
Test of Controls Phase – Perform Tests of Controls

• Controls can actually be tested by giving the auditor temporary and

limited access to the system; or by observation.

• An auditor may check if the system has the capability to detect strong
or weak password upon creation of the user ID.

• The auditor may ascertain by actual testing if the system will

automatically log-out if left opened for a certain period of time.
 AMANDO BOBBY F. ISIP
Test of Controls Phase – Evaluate Test Results

• Evaluation of test results means determining the risk involved in the

noted weaknesses as a result thereof.

• If the system is not automatically signing off when left opened, the
risk involved to user is substantial because this may lead to fraudulent
use that may result to losses.

• Weak passwords (e.g. date of birth) is very easy to memorize by other

users, hence, would result to another unauthorized use.
 AMANDO BOBBY F. ISIP
Test of Controls Phase – Determine Degree of Reliance on Controls

• If the degree of reliance of auditors on the internal control that was

evaluated and tested was high, verification will be lesser.

• On the contrary if the degree of reliance is low, coverage would be

bigger, and the time table would be longer.

• Ideally, the auditor must prepare a table enumerating the weaknesses

noted on internal controls and assign a numeric rating. By this means,
reliance can easily be evaluated.
 AMANDO BOBBY F. ISIP
SUBSTANTIVE TESTING PHASE involves the evaluation of
the impact of weakness in internal control.

• Impact means the weakness would adversely affect the company’s

resources, capital and profitability.

• Substantiating the test results would enable the auditors in

determining the risk areas, hence, making audit activities quicker and
smarter.

• Arriving at a greater substance in the tests of control would likewise

shorten the audit engagement.
 AMANDO BOBBY F. ISIP
Substantive Testing Phase – Perform substantive tests

• This test was designed to determine the substance of the procedures

performed.

• The auditor is not supposed to do testing on areas which are

considered strong when it comes to control.

• Example of substantive test is when the auditor verify if the system is

generating reports at the end of the day, since everybody knows that
the presence of this report provides substance to the system itself.
 AMANDO BOBBY F. ISIP
Substantive Testing Phase – Evaluate Test Results and issue Audit Reports

• Audit reports are intended to communicate the results on the

evaluation of IT control of the company.

• IT Audit Report is composed of an executive summary with the

supporting findings and recommendations.

• Since the purpose of audit is to add value to the organization, audit

recommendation is the ultimate substance.
 AMANDO BOBBY F. ISIP
Substantive Testing Phase – Audit Report

• IT audit report should be addressed to the Board Audit Committee

(BAC), who in turn will communicate the same to the Board of
Directors.

• In some instances, the IT auditor was asked to report to the Board of

Directors depending on the sensitivity of the issue.

• Confidentiality regarding the contents of the auditor’s report shall be

observed at all times.
 AMANDO BOBBY F. ISIP
Philippine Standards on Auditing (PSA) No. 402 – Audit considerations
relating to entities using service organizations

• We have three parties in this particular CIS auditing standard, the IT

auditor, the entity (the company being audited), and the service
organization (usually an IT service provider).

• In the evaluation of internal control and risk assessment, the auditor

consider the IT company who provides the software and other related
services.
 AMANDO BOBBY F. ISIP
UNIQUE CHARACTERISTICS OF SPECIFIC COMPUTERIZED
INFORMATION SYSTEM (CIS)

1. Stand Alone System

2. On-line
3. Data Base System

Almost all companies today are operating within the above

environment. Their option to use any of the above or all of the above
characteristics would depend on the size of the business and to the
nature of their operations.
 AMANDO BOBBY F. ISIP
Stand Alone System means you can only operate within your office or
within your branch. This is the opposite of on-line.

• The user cannot interact with other offices or branches using the
same system.

• Example of stand-alone system is an accounting software which has

no capability to interface with the BIR system.

• If you are operating a business with numerous branches, your

inventory management system is said to be stand-alone if you
cannot interact or transmit data with other branches.
 AMANDO BOBBY F. ISIP
On-line System is what most companies have today.
Many IT people opined that a system which is not on-line is useless
because communication is the key factor for any undertaking.

• All banks today (except for small rural banks) are using online
application systems, and that include Current Accounts & Savings
Account System (CASA), Anti-Money Laundering System, Check
Image Clearing System (CICS) etc.

• Under the on-line environment, transactions can be done, anywhere

and anytime. For banking transactions, you can do deposit,
withdrawal & other transactions anytime and anywhere.
 AMANDO BOBBY F. ISIP
Data Base System – this means, the company has, or maintained
accumulated data, which will be used in the day-to-day operations of
the business.

• List of customers is one data base that most companies are using.
Once you encode the name of the customer in the system, all
information pertaining to him shall be given.

• Chart of accounts is another example of information stored in the

data base. The user of the accounting system can use only chart of
accounts maintained in the system.
 AMANDO BOBBY F. ISIP
INTERNAL CONTROL CONSIDERATIONS IN IMPLEMENTING A
COMPUTERIZED SYSTEM
1. Appointment of a company-wide system administrator or security
manager with the following well-defined functions:
a. In-charge for the creation, deletion, re-activation and unlock of
passwords.
b. Authorized to inject revisions in the system functionalities
2. Centralized start-up procedures – this means somebody from head
office should be authorized in writing to perform start-up
procedures to open the entire system. For example, if the company
has branches nationwide, opening the accounting system should be
done by the head office to avoid unauthorized use before the start
of the official office hours.
 AMANDO BOBBY F. ISIP
INTERNAL CONTROL CONSIDERATIONS IN IMPLEMENTING A
COMPUTERIZED SYSTEM

3. Default password is the initial password provided by the system.

Once encoded by the user, the system will prompt the user to
change it immediately.
4. The system must have the capability to detect weak passwords. The
latter is not supposed to be accepted by the system if we want the
user’s data to be protected.
5. Each password should have an expiry date to further avoid
unauthorized use. Ideally, passwords should have an expiry date of
90 days.
 AMANDO BOBBY F. ISIP
INTERNAL CONTROL CONSIDERATIONS IN IMPLEMENTING A
COMPUTERIZED SYSTEM

6. Old passwords shall not be accepted by the system.

7. There should be specific time wherein the system can be used. For
example, systems can be used between the time frame of 8:00am
and 10:00pm. Beyond 10pm, the system will automatically be
closed. Any deviation should be approved by the department head
of the user and the head of IT Department.
8. Resigned employees with active user IDs should be immediately
deleted by the system administrator.
 AMANDO BOBBY F. ISIP

INTERNAL CONTROL CONSIDERATIONS IN IMPLEMENTING A

COMPUTERIZED SYSTEM

9. System Generated Reports:

The system should generate reports that can be beneficial to the users.
Below are the examples:
a. Activity Log – shows all the activities that happened in the
system starting from the opening and closing. This also covers all
transactions during the day.
 AMANDO BOBBY F. ISIP
INTERNAL CONTROL CONSIDERATIONS IN IMPLEMENTING A
COMPUTERIZED SYSTEM

9. System Generated Reports:

b. Significant Transactions Report – reflects all transactions with

substantial amount. The report will serve as guide for auditors
and inspectors in evaluating the records and transactions of the
company.
c. Exception Reports – shows the transactions that occurred
beyond the normal course of business transactions.
 AMANDO BOBBY F. ISIP
Example of a simple computerized payroll system subject of audit

COMPANY A Bank Payroll uploading

√
Payroll Software (accts of Company A
√ employees are
automatically credited)

√ File Encryption √ File Decryption

√ Data File
(Transferred file is (Transferred file is
(File Transfer
Protocol) or FTP encrypted) decrypted by Bank)
 AMANDO BOBBY F. ISIP
Example of a simple computerized payroll system subject of audit

File Transfer Protocol (FTP) – is a client server protocol used for

transferring files to or exchanging files with a host computer. By means
of this FTP, files are protected because what has been transferred is
encrypted,

Encrypted file – data encryption translates data into another form, or

code, so that only people with access to a secret key (formally called a
decryption key) or password can read it.
 AMANDO BOBBY F. ISIP
Example of a simple computerized payroll system subject of audit

Decrypted file – the conversion of encrypted data into its original form
is called decryption. It is generally a reverse process of encryption.

EXCEL PAYROLL PASSWORD DECRYPTED FILE

ENCRYPTED FILE
FILE (EXCEL PAYROLL
FILE)
 AMANDO BOBBY F. ISIP
Example of a simple computerized payroll system subject of audit

ORIGINAL ENCRYPTED
 AMANDO BOBBY F. ISIP
LEGAL ISSUES IN I.T. AUDIT

√ 1. Data Privacy Act – all data that has been examined are not
supposed to be disseminated to any person, and should remain
private.
√ 2. Bank Secrecy Law – covers all information that includes deposit and
loan balances, mobile phones, address, names of relatives etc.
√ 3. Confidentiality of business information – trade secrets, formula etc.
√ 4. Intellectual Property Act – formula or information behind any
invention, copyrights etc.
 AMANDO BOBBY F. ISIP
COMPUTER ASSISTED AUDIT TECHINIQUE SYSTEM (CAATS)

Refers to the use of technology to help evaluate controls by extracting

and examining relevant data.

• CAATS itself is a software which can be used to infer-face with

another system to obtain or extract information that can be used in
audit.
• Example of data extraction is when CAATS obtain data from
inventory management system to generate purchases with amount
of P50,000 and above for the whole year.
 AMANDO BOBBY F. ISIP
COMPUTER ASSISTED AUDIT TECHINIQUE SYSTEM (CAATS)

INVENTORY GENERATED DATA

CAATS MANAGEMENT (PURCHASES OF P50K AUDIT ANALYSIS
SYSTEM &ABOVE) & EVALUATION

AUDIT REPORT AUDIT FINDINGS &

RECOMMENDATIONS
Thank You!!!