AUDITING IN A COMPUTERIZED

ENVIRONMENT
Characteristics of CIS
ack of visible transaction trails
onsistency of Performance
ase of Access to Data and Computer
Programs
oncentration of duties
ystems generated transactions
ulnerability of data and program
storage media
Internal Control in a CIS Environment
General Controls

These are controls, which relate to the environment within
which computer-based accounting systems are developed,
maintained and operated aimed at providing reasonable
assurance that the overall objectives of internal controls
are achieved. These controls could either be manual or
programmed.
Application Controls
1. Organizational Controls
Segregation between the CIS department and
user department
- CIS department must be independent of all departments
within the entity that provide input data or that use output
generated by the CIS.
Segregation of duties within the CIS department
- Functions within the CIS department should be properly
segregated for good organizational controls.
CIS Director
Operations
Other
Functions
Systems
Development
Systems
Analyst
Programmer
Data Entry
Operator
Computer
Operator
Control
Group
Librarian

























Position Primary Responsibilities
CIS Director Exercise Control over the CIS Department
Systems Analyst Designs new systems, evaluates and improves existing
systems, and prepares specifications for programmers
Programmer Guided by the specifications of the systems analyst, the
programmer writes a program, tests and debugs such
programs, and prepares the computer operating
instructions.
Computer Operator Using the program and detailed operating instructions
prepared by the programmer, computer operator operates
the computer to process transactions
Data Entry Operator Prepares and verify input data for processing.
Librarian Maintains custody of systems documentations, programs
and files.
Control Group Reviews all input procedures, monitors computer
processing, follows-up data processing errors, reviews the
reasonableness of output, and dustributes output to
authorized personnel.
2. Systems Development and Documentation Controls
Software development as well as changes thereof must be
approved by the appropriate level of management and the user
department.
must be TESTED and MODIFIED

3. Access Controls
Every computer system should have adequate security
controls to protect equipment, files and programs.
4. Data Recovery Controls
Data recovery controls provides for the maintenance of back
up files and off-site storage procedures.
Grand-father, father, son - a practice that requires an entity
to keep the two most recent generation of master files and
transaction files
5. Monitoring Controls
Monitoring controls are designed to ensure that CIS controls
are working effectively as planned.
Application Controls
Application controls are those policies and procedures that relate
to the specific use of the system. These are designed to provide
reasonable assurance that all transactions are authorized, and
that they are processed completely, accurately translated into
machine readable form.
1. Controls over input
Input controls are designed to provide reasonable assurance
that data submitted for processing are complete, properly
authorized and accurately translated into machine readable
form.
Examples of input controls:
Key verification
-Requires data to be entered twice to provide assurance
that there are no key entry errors committed.
Field Disk
- This ensures that the input data agree with the required field
format.
Validity Check
- Information entered are compared with the valid
information in the master file to determine the authenticity
of the input.
Input controls are designed to provide reasonable assurance
that data submitted for processing are complete, properly
authorized and accurately translated into machine readable
form.
Examples of input controls:
Self-checking digit
- This is a mathematically calculated digit which I s usually
added to a document number to detect common
transpositional errors in data submitted for processing.
Limit Check
- Designed to ensure that data submitted for processing do
not exceed a pre-determined limit or a reasonable amount.
1. Controls over input
1. Controls over input
Input controls are designed to provide reasonable assurance
that data submitted for processing are complete, properly
authorized and accurately translated into machine readable
form.
Examples of input controls:
Control totals
- These are totals computed based on the data submitted
for processing. Control totals ensure the completeness of
data before and after the are processed.
Financial totals
Hash totals
Record counts












Financial total = P 40,000 ( P15, 000 + P20 000 + P5,000)
Hash total = 426 (141 + 142 + 143)
Record count = 3
Voucher No. 143
P 5 000
Voucher No. 142
P 20 000
Voucher No. 141

P 15 000

2. Controls over processing
Processing controls are designed to provide reasonable assurance that
input data are processed accurately, and that data are not lost, added,
excluded, duplicated or improperly changed.
3. Controls over output
Output controls are designed to provide reasonable assurance that the results
of processing are complete, accurate and that these output are distributed
only to authorized personnel.
Auditing Around the Computer
Involves selection of representative
sample of source documents and
tracing them to final destination

The controls and procedures used in
processing the data were
considered unimportant.

Auditing Around the Computer
Auditing Through Computers
This approach de-emphasizes testing
of records and focuses on the
examination of the processing system
to enhance the probability of system
generated records being accurate.


Computer Assisted Audit Techniques (CAATs)

- Also called white box approach
- Computer programs and data which the auditor uses as part of the audit
procedures to process data of audit significance contained in an entitys
information systems.


Commonly used CAATs:
Test Data
Integrated Test Facility
Parallel Simulation

TEST DATA
- Primarily designed to test the effectiveness of the internal control
procedures which are incorporated in the clients computer program.
Objective : To determine whether the clients computer programs can
correctly handle valid and invalid conditions as they arise.

Auditors Test
Data
Processed using
clients program
Output
Compare
Manually
Auditors
Expected Output
INTEGRATED TEST FACILITY (ITF)
When using this technique, the auditor creates dummy or fictitious
employee or other appropriate unit for testing within the entitys
computer system.

Auditors Test
Data
Clients Data
Processed
using clients
program
Output
Compare
Manually
Auditors
Expected
Output
PARALLEL SIMULATION
- Requires the auditor to write a program that simulates key features or
processes of the program under review.


Clients Data
Clients Data
Processed
using clients
program
Processed
using clients
program
Output
Output
Compare
Manually
PARALLEL SIMULATION
Parallel simulation can be accomplished by using:

Generalized audit software
Consists generally available computer packages which have been
designed to perform common audit tasks such as performing or verifying
calculations, summarizing and totaling files, and reporting in a format
specified by the auditor.

Purpose-written programs
Designed to perform audit tasks in specific circumstances

Advantages of CAATs
CAATs allow the auditor to:
Independently access the data stored on a computer system
without dependence on the client;
Test the reliability of client software, i.e. the IT application
controls (the results of which can then be used to assess control
risk and design further audit procedures);
Increase the accuracy of audit tests; and
Perform audit tests more efficiently, which in the long-term will
result in a more cost effective audit.

Disadvantages of CAATs
CAATs can be expensive and time consuming to set up, the software
must either be purchased or designed (in which case specialist IT staff
will be needed);
Client permission and cooperation may be difficult to obtain;
Potential incompatibility with the client's computer system;
The audit team may not have sufficient IT skills and knowledge to
create the complex data extracts and programming required;
The audit team may not have the knowledge or training needed to
understand the results of the CAATs; and
Data may be corrupted or lost during the application of CAATs.

Other CAATs
Snapshots
- this technique involves taking a
picture of a transaction as it flows
through the computer systems.
Systems control audit review files
(SCARF)
- This involves embedding audit
software modules within an application
system to provide continuous
monitoring of the systems
transactions.