CPA REVIEW SCHOOL OF THE PHILIPPINES AT-8709
Manila
AUDITING THEORY CPA Review
2
AUDITING IN A CIS (IT) ENVIRONMENT
. ACIS environment exists when a computer of any type or size Is involved in the processing
by the entity of financial information of significance to the audit, whether the computer is
operated by the entity or by a third party.
. The overall objective and scope of an audit does not change in a CIS environment.
ACIS environment may affect:
3. The procedures followed in obtaining a sufficient understanding of the accounting and
internal control systems.
b. The consideration of the inherent and control risk.
c. The design and performance of tests of controls and substantive procedures.
. The auditor should have sufficient knowlerlge of the CIS to plan, direct, and review the work
performed.
If specialized skills are needed, the auditor would seek the assistance of a professional
possessing such skills, who may be either on the auditor's staff or an outside professional.
._In planning the portions of the audit which may be affected by the client's CIS environment,
the auditor should obtain an understanding of the significance and complexity of the CIS
activities and the availability of data for use in the audit.
When the CIS are significant, the auditor should also obtain an understanding of the CIS
environment and whether it may influence the assessment of inherent and control risks.
The auditor should consider the CIS environment in designing audit procedures to reduce
audit risk to an acceptably low level. The auditor can use either manual audit procedures,
computer-assisted audit techniques, or a combination of both to obtain sufficient evidential
matter.
RISK ASSESSMENTS AND INTERNAL CONTROL:
CIS CHARACTERISTICS AND CONSIDERATIONS
Organizational Structure
Characteristics of a CIS organizational structure includes:
a.
Concentration of functions and knowledge
Although most systems employing CIS methods will include certain manual operations,
generally the number of persons invoived in the processing of financial information is
significantly reduced.
b. Concentration of programs and data
Transaction and master file data are often concentrated, usually in machine-readable form,
either in one computer installation located centrally or in a number of installations
distributed throughout the entity.
Nature of Processing
“The use of computers may result in the design of systems that provide less visible evidence than
those using manual procedures. In addition, these systems may be accessible by a larger number
Of persons.
Page 1 of 12 Pages(PAR - MANILA, ars
System characteristics that may resuit from the nature of CIS processing inude:
2. Absence of input documents
* Data may be entered directly into the computer system without supporting document.
In some onine transaction systems, written evidence of individual data entry
‘authorization (e.9., approval for order entry) may be replaced by other procedures,
such as authorization controls contained in computer programs (e.9., credit limit
approval).
b. Lack of visible audit trail
‘The transaction trail may be partly in machine-readable form and may exist only for a limited
period of time (e.9., audit logs may be set to overwrite themselves after a period of time or
when the allocated disk space is consumed).
c. Lack of visible output
Certain transactions or resuits of processing may not be printed, or only summary data may
be printed.
d. Ease of access to data and computer programs
and programs by persons inside or outside the entity.
Design and Procedural Aspects
The development of CIS will generally result in design and procedural characteristics that are
different from those found in manual systems. These different design and procedural aspects of
AS indude:
a. Consistency of performance
CIS perform functions exactly as programmed and are potentially more reliable than manual
systems, provided that all transaction types and conditions that could occur are anticipated
and incorporated into the system. On the other hand, a computer program that is not
correctly programmed and tested may consistently process transactions or other data
erroneously.
b. Programmed control procedures
The nature of computer processing allows the design of internal control procedures in
computer programs.
. Single transaction update of multiple or data base computer files
A single input to the accounting system may automatically update all records associated
with the transaction.
d. Systems generated transactions
Certain transactions may be initiated by the CIS itself without the need for an input
document.
e. Vulnerability of data and program storage media
Large volumes of data and the computer programs used to process such data may be stored
‘on portable or fixed storage media, such as magnetic disks and tapes. These media are
vulnerable to theft, loss, or intentional or accidental destruction.
Page 2 of 12 Pages(PAR - MANILA AT-8709
INTERNAL CONTROLS IN A CIS ENVIRONMENT
GENERAL CIS CONTROLS—to establish a framework of overall control over the CIS activities
and to provide a reasonable level of assurance that the overall objectives of internal control are
achieved.
General CIS controls may include:
a. Organization and management controls—designed to define the strategic direction
and establish an organizational framework over CIS activities, induding:
‘* Strategic information technology plan
* CIS polices and procedures
* Segregation of incompatible functions
‘Monitoring of CIS activities performed by third party consultants
b. Development and maintenance controls—designed to provide reasonable assurance
that systems are developed or acquired, implemented and maintained in an authorized and
effident manner. They also typically are designed to establish control over:
* Project initiation, requirements definition, systems design, testing, data conversion, Go-
live decision, migration to production environment, documentation of new or revised
‘systems, and user training.
* Acquisition and implementation of off-the-shelf packages.
+ Request for changes to the existing systems.
* Acquisition, implementation, and maintenance of system software.
¢. Delivery and support controls—designed to control the delivery of CIS services and
include:
+ Establishment of service level agreements against which CIS services are measured.
Performance and capacity management controls.
* Event and problem management controls.
* Disaster recovery/contingency planning, training, and file backup.
* Computer operations controls.
* Systems security.
* Physical and environment controls.
d. Monitoring controls—designed to ensure that CIS controls are working effectively as
planned. These include:
‘ Monitoring of key CIS performance indicators.
* Internal/external CIS audits.
CIS APPLICATION CONTROLS—to establish specific control procedures over the application
systems in order to provide reasonable assurance that all transactions are authorized, recorded,
and are processed completely, accurately and on a timely basis. CIS application controls include:
a. Controls over input—designed to provide reasonable assurance that:
* Transactions are properly authorized before being processed by the computer.
+ Transactions are accurately converted into machine readable form and recorded in the
computer data files.
‘Transactions are not lost, added, duplicated or improperly changed.
‘Incorrect transactions are rejected, corrected and, If necessary, resubmitted on a timely
basis,
b. Controls over processing and computer data files—designed to provide reasonable
assurance that:
* Transactions, including system generated transactions, are properly processed by the
computer.
* Transactions are not lost, added duplicated or improperly changed.
Page 3 of 12 PagesCPAR- MANILA,
« Processing errors (ie., rejected data and incorrect transactions) are identified and
corrected on a timely basis.
c. Controls over output—designed to provide reasonable assurance that:
« Results of processing are accurate.
# Access to output is restricted to authorized personnel.
* Output Is provided to appropriate authorized personnel on a timely basis.
Review of general CIS controls
General CIS contro's that relate to some or all applications are typically interdependent contra!
Pee their operation is often essential to the effectiveness of CIS application controls,
ceding, may be more efficient to review the design ofthe general contots before reviewing
the application controls.
Review of CIS application controls
CIS application controls which the auditor may wish to test include:
a. Manual controls exercised by the user
b. Controls over system output
¢. Programmed control procedures
ENVIRONMENTS — STAND-ALONE PERSONAL COMPUTERS
1. A personal computer (PC) can be used in various configurations. These indude:
a. a stand-alone workstation operated by a single user or a number of users at different
times;
b. a workstation which is a part of a Local Area Network (LAN) of PCs; and
ca workstation connected to a server.
2. Ina stand-alone PC environment, it may not be practicable or cost-effective for
management to implement sufficient controls to reduce the risks of undetected error to a
‘minimum level.
3, After obtaining the understanding of the accounting system and control environment, the
‘auditor may find it more cost-effective not to make a further review of general controls or
application controls, but to concentrate audit efforts on substantive procedures.
(CIS ENVIRONMENTS — ON-LINE COMPUTER SYSTEMS
1. On-line computer systems are computer systems that enable users to access data and
programs directy through terminal devices.
2. Ondine systems allow users to directly initiate various functions such as:
a. entering transactions d. updating master files
b._ making inquiries . electronic commerce activities
3. Types of terminals used in on-line systems:
‘A. General purpose terminals
1, Basic keyboard and screen 3. PCS
2. Intelligent terminal
B. Special purpose terminals
1. Point-of-sale devices 2. Automated Teller Machines (ATM)
Page 4 of 12 Pages