AUD05: AUDITING IN CIS

ENVIRONMENT
15th September 2023
1:00 - 4:00 pm
 Recap

1. What is the difference of manual and CIS environment in

terms of documentation and transaction trials?

2. What do we mean by uniform processing?

3. Discussed the CAATs.

4. What do we mean by internal control?

 Scope of Audit in a CIS environment

Impact of computerization on audit approach

needs consideration of the following factors:
(1) High Speed – In a CIS environment, information can be
generated very quickly. Even complex reports in specific
report format can be generated for audit purposes
without much loss of time.

Impact on audit: Auditor can expand their substantive procedures

for collection of more evidence in support of their judgement.
 Scope of Audit in a CIS environment

(2) Low clerical error – computerized operation being a

systematic and sequential programmed course of action the
changes of commission of error is considerably reduced.

Impact on audit: Clerical error is highly minimized.

 Scope of Audit in a CIS environment

(3) Concentration of duties – In a CIS environment, the

traditional separation of duties among individual from
manual system does not exist, since computer programs
perform more than one set of activities at a time thereby
concentrating the duties of several personnel involved in
the work.

Impact on audit: Auditor’s need to deploy separate individuals for

carrying out the verification process is eliminated.
 Scope of Audit in a CIS environment

(4) Shifting of internal control base –

i. Application systems development control – a system
development control the provides reasonable
assurance that they are developed in an authorized and
efficient manner, to establish control over:
a.) testing, conversion, implementation and documentation of new
revised system
b.) changes to application system
c.) access to system documentation
d.) acquisition of application system from third parties
 Scope of Audit in a CIS environment

(4) Shifting of internal control base –

ii. System software control – designed to provide
reasonable assurance that system software is acquired or
developed in an authorized and efficient manner
including:
a.) authorization, approval testing, implementation and documentation
of new system software modifications
b.) putting restriction of access to system software and documentation
to authorized personnel
 Scope of Audit in a CIS environment

(4) Shifting of internal control base –

System software is a general purpose-software and without system software, the

system stops and can’t run. While application software is a specific purpose
software and even without application software, system always run.

Impact on audit: The audit team should gather enough information

regarding the control/s employed on the company’s software.
 Scope of Audit in a CIS environment

(5) Disappearance of manual reasonableness/documentation -

The shift from traditional manual information processing
environment to computerized information system
environment needs a detailed analysis of the physical
system for transformation into a logical platform.

Impact on audit: Auditor should have a complete understanding and be

able to document the transition of information from manual to
computerized environment.
 Scope of Audit in a CIS environment

(6) Impact of poor system – Care has to be taken in adopting

manual operations switching to computerized
operations, otherwise computer information system
environment may do more harm than good in the
integrated business operations.

Impact on audit: The audit must be alert on the possible omission

of information or underperformance of the new computerized
system which could affect the quality of data being processed.
 Scope of Audit in a CIS environment

(7) Exception reporting – a departure from straight

reporting of all variables. The value of a variable is
only reported if it lies outside some pre-determined
normal range.

Impact on audit: The auditor will have to focus only on the

information that falls outside the expectation.
 Scope of Audit in a CIS environment

(8) Man-machine interface / human-computer interaction

i. Man-machine interface – ensures maximum effectiveness
of the information system. Information that is required by
the user and present that information in the most
uncluttered way.

ii. Human-computer interaction – concerned with the

design, evaluation and implementation of interactive
computing systems for human use and with the study of the
major phenomena surrounding them.
Quiz time…
 Quiz No.1
Auditing in CIS environment, auditors encounters more
clerical errors than manual processing.

a. True
b. False
 Quiz No.2
Auditing in CIS environment will allow the auditor to
performed more substantive procedure thereby more
concrete evidence is gathered to support the conclusion.

a. True
b. False
 Quiz No.3
Software refers to a collection of programs.

A. True
B. False
 Quiz No.4
What would be the impact on the audit of poor
accounting system?
 Quiz No.5
Discussed the difference between the application
software versus system software.
Impact of Changes on Business Process
(shifting from Manual to Electronic Medium)
The impact of changes on business process to audit maybe
summarized as:

1. Wide-spread end-user computing may result in unintentional

errors creeping into systems owing to inept handling. Also,
coordinated program may not be possible.
2. Improper use of decision support system can have a serious
repercussion. Also their underlying assumption must be clearly
documented.
3. Usage of sophisticated audit software would be a necessity.
 Impact of Changes on Business Process
(shifting from Manual to Electronic Medium)
The impact of changes on business process to audit maybe
summarized as:

4. Auditor’s non-participation at System Development Life Cycle

State (SDLC) pose considerable problem in understanding the
operational controls.
5. Data communication and net working would introduce new audit
risk.
6. The move toward paperless EDI would eliminate much of the
traditional audit trail radically changing the nature of the audit
trails.
*EDI – Electronic Data Interchange
Quiz time…
 Quiz No.6
Storage of firmware is
a. Cache Memory
b. RAM
c. External
d. ROM
 Quiz No.7
Give at least one impact on audit in relation to the
changes in business process from manual to automated.
BREAK (15 minutes)
Audit approach in a CIS environment

The audit approach in a CIS environment could be either:

A. Black-box approach (Auditing around the computer)

B. White-box approach (Auditing through the computer)
Audit approach in a CIS environment

The Black Box Approach

a. In the Black box approach or auditing around the computer, the
Auditor concentrates on input and output, and ignores the specifics of
how computer process the data or transactions.
b. If the input matches the output, the auditor assumes that the
processing of transaction/data must have been correct.
c. Auditing around the computer has the advantage of ease of
comprehension as the tracing of documents to output does not require
any in-depth study of application program.
d. A major disadvantage, however, is that the auditor not having directly
tested the control, cannot make assertions about the underlying process.
Audit approach in a CIS environment

The Black Box Approach

Audit approach in a CIS environment

The White Box Approach

a. The process and controls surrounding the subject are not only subject
to audit but also the processing controls operating over this process are
investigated.
b. In order for the auditor to gain access to these processes computer, an
Audit software may be used. An audit software may typically contain:
interactive enquiry facilities to interrogate files, facilities to analyze
computer security logs for unusual usage of the computer, ability to
compare source and object (compiled) program codes in order to detect
dissimilarities, facility to execute and observe the computer treatment
to “live transaction” by moving through the processing as it occurs and
generation of test data amongst others.
Audit approach in a CIS environment

The White Box Approach

c. To perform the white box approach, the auditor needs to have
sufficient knowledge of computers to plan, direct-supervise and review
the work performed.
d. Areas to be covered in an audit will concentrate on the following
controls:
- Input controls
- Processing controls
- Storage controls
- Output controls
- Data transmission controls
Audit approach in a CIS environment

The White Box Approach

e. Auditor will also need to be satisfied that there are adequate controls
over the prevention of unauthorized access to the computer and the
computerized environment.
d. Auditor should also consider the separation of functions between staff
involves in transaction processing and the computerized system and
ensuring that adequate supervision of personnel is administered.
Audit approach in a CIS environment

The White Box Approach

Audit approach in a CIS environment

White Box Approach vs. Black Box Approach

Group Activity

Group A - Inventory Group B - Sales

1. Ara 1. Gene
2. Lycca 2. Maui
3. Ruby 3. Bevs
4. Sweet 4. Renelyn
5. John Carlo 5. Joyce
6. Norine 6. Berna
7. Sherie
 Group Activity (20 Minutes)

You are assigned to audit the sales and inventory of KBD Company. KBD
uses busykeeper, an online accounting software which the Company
used to process and interpret its daily business operations.

Task No. 1 – Perform an audit using the Black box approach.

Task No. 2 – Perform an audit using the White box approach.

Take note: Presentation must show the detailed trail of the audit using
the two approach. Let’s assume that each group already acquired a
complete understanding about the company’s accounting software.
Group Activity (20 Minutes)

Discussion of the result of Group activity.

Questions?
THANK YOU!