John David Alfred Endico

Angel Diana Ferran

Irish Sierra
Jireh Talinio
Rona Villaflor
Audit under Computerised
Information System (CIS)
Environment
1. High Speed
2. Low Clerical Error
3. Concentration of Duties
4. Shifting of Internal Control Base
I. Application Systems Development
II. Systems Software Control
5. Disappearance of Manual Reasonableness
6. Impact of Poor System
7. Exception Reporting
8. Man-Machine Interface / Human-Computer Interaction
High Speed – complex reports in specific report format can be
generated for audit purposes without much loss of time.
Low Clerical Error – computerized operation being a
systematic and sequential programmed course of action the
changes of commission of error is considerably reduced.
Concentration of Duties – computer programs perform more
than one set of activities at a time thereby concentrating the
duties of several personnel involved in the work
Shifting of Internal Control Base
1. Application Systems Development Control
- should be designed to provide reasonable assurance that
they are developed in an authorised and efficient manner,
to establish control, over:
a) testing, conversion, implementation, and documentation
of new revised system.
b) changes to application system.
c) access to system documentation.
d) acquisition of application system from third parties.
Shifting of Internal Control Base
2. Systems Software Control
- are designed to provide reasonable assurance that
system software is acquired or developed in an
authorised and efficient manner including:
a) authorisation, approval
testing, implementation and documentation of new system
software systems software modifications.
b) putting restriction of access to system software
and documentation to authorised personnel.
Disappearance of Manual Reasonableness - shift from
traditional manual information processing environment to
computerised information systems environment
Impact of Poor System - adopting manual operations switch-
over to computerised operations for ensuring performance
quality standards
Exception Reporting - a departure from straight reporting of
all variables
Man-Machine Interface / Human-Computer Interaction – it
ensures maximum effectiveness of the information system
A. Primary Changes
(1) Process of Recording Transactions
(2) From of Accounting Records
(3) Use of Loose-Leaf Stationeries
(4) Use of Accounting Code
(5) Absence of Link Between Transaction
B. Recent Changes
1) Mainframes are substituted by mini/micro users.
2) There is a shift from proprietary operating system to more
universal ones like UNIX, LINUX, Programming in 'C' etc.
3) Relational Date Base Management (RDBMS) are increasingly
being used.
4) The methodology adopted for systems development is
becoming crucial and CASE (Computer Aided Software
Engineering) tools are being used by many organisation.
B. Recent Changes
5) End user computing is on the increase resulting in
decentralized data processing.
6) The need for data communication and networking is
increasing.
7) Common business documents are getting replaced by
paperless electronic data interface (EDI).
8) Conventional data entry giving way to scanner, digitized
image processes, voice recognition system etc.
Based on The knowledge and expertise of Auditors in
handling computerised data, the audit approach in a CIS
environment could be either:
A. A Black-Box Approach
i.e. Auditing around the computer.

B. A White-Box Approach
i.e. Auditing through the computer.
A. A Black-Box Approach
In the Black box approach or Auditing around the computer,
the Auditor concentrates on inputand output and ignores the
specifics of how computer process the data or transactions. If
inputmatches the output, the auditor assumes that the
processing of transaction/data must havebeen correct.
B. A White-Box Approach
The processes and controls surrounding the subject are not
only subject to audit but also the processing controls
operating over this process are investigated. In order to help
the auditor to gain access to these processes computer Audit
software may be used.
A) System configuration
1. Large system computers
2. Stand alone personal computers
3. Network computing system
4. Electronic data interchange (EDI)

B) Processing systems
1. Batch processing
2. On Line Processing System
3. Interactive Processing
4. On-line real time processing
5. Time Sharing
6. Service Bureau
7. Integrated File System
Network
Is a group of interconnected system
sharing services and interacting by a
shared communication links.
 Client Server
 File Server
 Data base Server
 Message Server
 Print Server
 Local Area Network
 Wide Area Network
 Distributed data Processing
 Electronic Data Interchange
(EDI)
1. Occurrence of Transaction
2. Recorded in Transaction File
3. Updation of Master File
4. Generation of Output
On-line Processing
REFERS TO PROCESSING OF INDIVIDUAL
TRANSACTIONS AS THEY OCCUR FROM
THEIR POINT OF ORIGIN.
 “Transaction driven”
A continuous dialogue exists between
the user and the computer.
On-line Processing
REFERS TO PROCESSING OF INDIVIDUAL
TRANSACTIONS AS THEY OCCUR FROM
THEIR POINT OF ORIGIN.
It occurs when a computer processes
transactions of more than one entity.
It occurs when a computer processes
transactions of other entity.
System that solving provided tools to
managers to assist them in solving
semi-structured and unstructured problem.
 The Users
 Data bases
 Planning Language
 Model Base
System that allows non-experts to make
Decision comparable to that of an expert.
 Knowledge Base
 Inference Engine
 Use interface
 Explanation facility
 Knowledge acquisition
Facility
REFERS TO SYSTEMS UPDATE MANY FILES
SIMULTANEOUSLY AS TRANSACTION IS
PROCESSED.
1. Changes to Evidence Collection .
• Accurate and complete operations of a disk drive may require a set of hardware
controls not required in manual
• System development controls include procedures for testing programs that again
not necessary in manual

2. Changes to Evidence Evaluation

• Weather a control is functioning reliably or multifunctioning
• Traceability of control strength and weakness through the system
- Internal control is an essential pre-requisite to efficient and
effective management of any organization.
- Internal control Is a CIS system depends on the same principal as that
of manual system.

BASIC COMPONENTS THAT CAN BE IDENTIFIED IN A CIS ENVIRONMENT

• Hardware
• Software
• People
• Transmission Media
MAJOR CLASSES OF CONTROL THAT THE AUDITOR MUST EVALUATE ARE :
1. Authenticity Controls
2. Accuracy Control
3. Completeness Control
4. Redundancy Control
5. Privacy Control
6. Audit trail Controls
7. Existence Controls
8. Asset safeguarding Controls
9. Effectiveness Controls
10.Efficiency Controls
1. Weather the control is in place and is functioning as desired
2. Generality versus specificity of the control with respect to the various
types of errors and irregularities that might occure
3. Weather the control acts prevent, detect or correct errors
• Preventive controls
• Detective controls
• Corrective controls
4. The number of components used to execute the controls
1.Organization And Management Control – Controls are
designed to establish an organizational framework for
CIS activities
2.Application System Development and Maintenance
Control – To provide reasonable assurance that
systems are developed and maintained in authorized
and efficient manner
3.Computer Operation Controls – To control the
operation of the system and to provide reasonable
assurance.
4. System Software Control – To provide reasonable
assurance that sytem software is acquired or developed in
an authorized and efficient manner
5. Data Entry and Program Control
6. Control Over Input
7. Control Over Processing and Computer Data Files
8. Control Over Output
9. Other Safeguard
1. Skill and Competence
2. Planning
• The CIS infrastructure and application software used by the entity.
• The significance and complexity of computerized processing in each significant
accounting application.
• Determination of the organizational structure of thr client
• The auditor needs to determine the extent of availability of data by reference to
source documents, computer files and other evidential manners.
3. Risk
• Lack of transaction trails .
• Uniform processing of transaction.
• Lack of segregation of functions.
• Potential for errors and irregularities.
4. Risk Assessment - the auditor in accordance with SA 315
“Identifying and Assessing the Risks of Material
Misstatement through Understanding the Entity and its
Environment” should make an assessment of inherent and
control risk for material financial statement assertions.

5. Documentation - the Auditor should document the audit

plan, the nature, timing and extent of audit procedures
performed and the conclusions drawn from the evidence
obtained.
Review Process
1. Organization Structure / Control
2. Documentation Control
3. Access Control
4. Input Controls
5. Processing Controls
6. Recording Control
7. Storage Control
8. Output Control
1. Organization Structure / Control
1. Data Administrator –Generates the data requirements of the users of informationsystem
services: formulates data policies, plans the evaluation of the Corporate databases, maintains
data documentation.
2. Database Administrator –Responsible for the operational efficiency of corporate database,
assist users to use database better.
3. System Analyst -Manages information requirement for new and existing applications, designs
information systems architectures to meet these requirements, facilitates implementation of
information systems, writes procedures and users documentation.
4. System Programmers -Maintains and enhances operating systems software, network software,
library software, and utility software, provides when unusual systems failure occurs.
5. Application Programmer -Designs programs to meet information requirements, codes, tests
and debugs programs documents programs, modify program to remove errors, improve
efficiency.
6. Operation Specialist - Plans and control day-to-day operations, monitors and improves
operational efficiency along with capacity planning.
7. Librarian - Maintains library of magnetic media and documentation.
2. Documentation Control - Systems and programs as well as
modifications, must be adequately documented and properly
approved before being used: Documentation ordinarily assumes the
following form:
a) A system flowchart;
b) A program flowchart;
c) Program change;
d) Operator instructions;
e) Program description (explaining the purpose for each part of the
program)
3. Access Control
- are usually aimed at for preventing unauthorized access.
• Segragation Controls
• Limited physical access to the computer facility
• Visitor entry logs
• Hardware and software access controls
• Call back
• Encryption
• Computer application controls
4. Input Controls
• Pre-printed Form
• Check Digit
• Completeness Totals
• Reasonableness Checks
• Field checks
• Record Checks
• File checks
5. Processing Controls - are essential to ensure the integrity of data.
(i) Overflow - Overflow can occur if a field used for computation
is not initiated to zero at start.
(ii) Range – An allowable value range can apply to a field
(iii) Sign test – The contents of one record type field might
determine which sign is valid for a numeric field.
(iv) Cross footing – Separate control totals can be developed
for related fields and cross footed at the end of a run.
(v) Run-to-Run Control
6. Recording control
(a) Error Log
(b)Transaction Log
7. Storage control
(a)Physical Protection Against Erasure
(b)External Label
(c)Magnetic Labels
(d)File Back-up Routines
(e)Database Back-up Routines
(f)Cryptographic Storage
8. Output control
• Ensures the results of data processing are accurate , complete
and directed to authorize recipient.
• Uses of CAATs:
 test of details of transactions and balances
 analytical procedures
 test of general controls
 sampling programs to extract data for audit testing
 test of application controls
 reperforming calculations performed by the entity accounting
systems
Packaged Programs
Purpose Written Programs
Utility Programs
System Management Programs
The IT knowledge, expertise, and experience of the audit team
The availability of CAATs and suitable computer facilities and data
The impracticability of manual tests
The Effectiveness and Efficiency
Time constraints
•The Auditor considers the need to:
A.Approve specifications and conduct review of the work to be performed by CAAT;
B. Review the entity’s general controls that may contribute to the integrity of CAAT
C.Ensure appropriate integration of the output by the auditor into the audit process.
•Procedures carried out by the auditor to control CAAT’s applications may include:
(a)Participating in the design and testing of CAAT
(b)Checking, if applicable, the coding of the program
(c)Asking the entity’s staff to review the operating system instructions
(d)Running the audit software on small test files before running it on the main data
files.
(e)Checking whether the correct files were used
(f)Obtaining evidence that the audit software functioned as planned
(g)Establishing appropriate security measures to safeguard the integrity and
confidentiality of the data.
Thank Ya!