CPA REVIEW SCHOOL OF THE PHILIPPINES AT-8709 Manila AUDITING THEORY CPA Review 2 AUDITING IN A CIS (IT) ENVIRONMENT . ACIS environment exists when a computer of any type or size Is involved in the processing by the entity of financial information of significance to the audit, whether the computer is operated by the entity or by a third party. . The overall objective and scope of an audit does not change in a CIS environment. ACIS environment may affect: 3. The procedures followed in obtaining a sufficient understanding of the accounting and internal control systems. b. The consideration of the inherent and control risk. c. The design and performance of tests of controls and substantive procedures. . The auditor should have sufficient knowlerlge of the CIS to plan, direct, and review the work performed. If specialized skills are needed, the auditor would seek the assistance of a professional possessing such skills, who may be either on the auditor's staff or an outside professional. ._In planning the portions of the audit which may be affected by the client's CIS environment, the auditor should obtain an understanding of the significance and complexity of the CIS activities and the availability of data for use in the audit. When the CIS are significant, the auditor should also obtain an understanding of the CIS environment and whether it may influence the assessment of inherent and control risks. The auditor should consider the CIS environment in designing audit procedures to reduce audit risk to an acceptably low level. The auditor can use either manual audit procedures, computer-assisted audit techniques, or a combination of both to obtain sufficient evidential matter. RISK ASSESSMENTS AND INTERNAL CONTROL: CIS CHARACTERISTICS AND CONSIDERATIONS Organizational Structure Characteristics of a CIS organizational structure includes: a. Concentration of functions and knowledge Although most systems employing CIS methods will include certain manual operations, generally the number of persons invoived in the processing of financial information is significantly reduced. b. Concentration of programs and data Transaction and master file data are often concentrated, usually in machine-readable form, either in one computer installation located centrally or in a number of installations distributed throughout the entity. Nature of Processing “The use of computers may result in the design of systems that provide less visible evidence than those using manual procedures. In addition, these systems may be accessible by a larger number Of persons. Page 1 of 12 Pages(PAR - MANILA, ars System characteristics that may resuit from the nature of CIS processing inude: 2. Absence of input documents * Data may be entered directly into the computer system without supporting document. In some onine transaction systems, written evidence of individual data entry ‘authorization (e.9., approval for order entry) may be replaced by other procedures, such as authorization controls contained in computer programs (e.9., credit limit approval). b. Lack of visible audit trail ‘The transaction trail may be partly in machine-readable form and may exist only for a limited period of time (e.9., audit logs may be set to overwrite themselves after a period of time or when the allocated disk space is consumed). c. Lack of visible output Certain transactions or resuits of processing may not be printed, or only summary data may be printed. d. Ease of access to data and computer programs and programs by persons inside or outside the entity. Design and Procedural Aspects The development of CIS will generally result in design and procedural characteristics that are different from those found in manual systems. These different design and procedural aspects of AS indude: a. Consistency of performance CIS perform functions exactly as programmed and are potentially more reliable than manual systems, provided that all transaction types and conditions that could occur are anticipated and incorporated into the system. On the other hand, a computer program that is not correctly programmed and tested may consistently process transactions or other data erroneously. b. Programmed control procedures The nature of computer processing allows the design of internal control procedures in computer programs. . Single transaction update of multiple or data base computer files A single input to the accounting system may automatically update all records associated with the transaction. d. Systems generated transactions Certain transactions may be initiated by the CIS itself without the need for an input document. e. Vulnerability of data and program storage media Large volumes of data and the computer programs used to process such data may be stored ‘on portable or fixed storage media, such as magnetic disks and tapes. These media are vulnerable to theft, loss, or intentional or accidental destruction. Page 2 of 12 Pages(PAR - MANILA AT-8709 INTERNAL CONTROLS IN A CIS ENVIRONMENT GENERAL CIS CONTROLS—to establish a framework of overall control over the CIS activities and to provide a reasonable level of assurance that the overall objectives of internal control are achieved. General CIS controls may include: a. Organization and management controls—designed to define the strategic direction and establish an organizational framework over CIS activities, induding: ‘* Strategic information technology plan * CIS polices and procedures * Segregation of incompatible functions ‘Monitoring of CIS activities performed by third party consultants b. Development and maintenance controls—designed to provide reasonable assurance that systems are developed or acquired, implemented and maintained in an authorized and effident manner. They also typically are designed to establish control over: * Project initiation, requirements definition, systems design, testing, data conversion, Go- live decision, migration to production environment, documentation of new or revised ‘systems, and user training. * Acquisition and implementation of off-the-shelf packages. + Request for changes to the existing systems. * Acquisition, implementation, and maintenance of system software. ¢. Delivery and support controls—designed to control the delivery of CIS services and include: + Establishment of service level agreements against which CIS services are measured. Performance and capacity management controls. * Event and problem management controls. * Disaster recovery/contingency planning, training, and file backup. * Computer operations controls. * Systems security. * Physical and environment controls. d. Monitoring controls—designed to ensure that CIS controls are working effectively as planned. These include: ‘ Monitoring of key CIS performance indicators. * Internal/external CIS audits. CIS APPLICATION CONTROLS—to establish specific control procedures over the application systems in order to provide reasonable assurance that all transactions are authorized, recorded, and are processed completely, accurately and on a timely basis. CIS application controls include: a. Controls over input—designed to provide reasonable assurance that: * Transactions are properly authorized before being processed by the computer. + Transactions are accurately converted into machine readable form and recorded in the computer data files. ‘Transactions are not lost, added, duplicated or improperly changed. ‘Incorrect transactions are rejected, corrected and, If necessary, resubmitted on a timely basis, b. Controls over processing and computer data files—designed to provide reasonable assurance that: * Transactions, including system generated transactions, are properly processed by the computer. * Transactions are not lost, added duplicated or improperly changed. Page 3 of 12 PagesCPAR- MANILA, « Processing errors (ie., rejected data and incorrect transactions) are identified and corrected on a timely basis. c. Controls over output—designed to provide reasonable assurance that: « Results of processing are accurate. # Access to output is restricted to authorized personnel. * Output Is provided to appropriate authorized personnel on a timely basis. Review of general CIS controls General CIS contro's that relate to some or all applications are typically interdependent contra! Pee their operation is often essential to the effectiveness of CIS application controls, ceding, may be more efficient to review the design ofthe general contots before reviewing the application controls. Review of CIS application controls CIS application controls which the auditor may wish to test include: a. Manual controls exercised by the user b. Controls over system output ¢. Programmed control procedures ENVIRONMENTS — STAND-ALONE PERSONAL COMPUTERS 1. A personal computer (PC) can be used in various configurations. These indude: a. a stand-alone workstation operated by a single user or a number of users at different times; b. a workstation which is a part of a Local Area Network (LAN) of PCs; and ca workstation connected to a server. 2. Ina stand-alone PC environment, it may not be practicable or cost-effective for management to implement sufficient controls to reduce the risks of undetected error to a ‘minimum level. 3, After obtaining the understanding of the accounting system and control environment, the ‘auditor may find it more cost-effective not to make a further review of general controls or application controls, but to concentrate audit efforts on substantive procedures. (CIS ENVIRONMENTS — ON-LINE COMPUTER SYSTEMS 1. On-line computer systems are computer systems that enable users to access data and programs directy through terminal devices. 2. Ondine systems allow users to directly initiate various functions such as: a. entering transactions d. updating master files b._ making inquiries . electronic commerce activities 3. Types of terminals used in on-line systems: ‘A. General purpose terminals 1, Basic keyboard and screen 3. PCS 2. Intelligent terminal B. Special purpose terminals 1. Point-of-sale devices 2. Automated Teller Machines (ATM) Page 4 of 12 Pages