Essential Knowledge

1. AUDITING IN A COMPUTERIZED ENVIRONMENT

Businesses nowadays tends to process large amounts of data, including
accounting data that needs to be reported as part of the financial statements on a
timely basis. With this, manual recording of accountable transactions becomes
painstaking and expensive for large companies, thus, some entities shifted their
investment towards computerized information system, that is, from data-gathering
down to preparation of financial statements are now partially or fully performed with the
use of electronic means. This mechanism enables paperless transactions, thus
reduces the ability to leave audit trail every after transaction, thus making the audit and
verification quite difficult to perform using traditional procedures, thus the auditor,
having the need to grasp such disruption, needs to upgrade, as well, when performing
audit engagements in entities employing computerized information systems. This ULO
discusses about approaches of an auditor in performing audit procedures in a
computerized environment.

2. CHARACTERISTICS OF COMPUTERIZED INFORMATION SYSTEMS (CIS)

Common characteristics, which creates clear distinction between manual and
computerized information system, as follows:
1. Lack of visible transaction trails. Since data are processed electronically,
processing takes place virtually within the hardware, making it difficult to monitor
using traditional means.
2. Consistency of performance. Computerized systems operate based on the
instructions programmed to them by the user, thus have the ability to perform
consistently without the risk of deteriorating performance within a period of
uninterrupted time.
3. Ease of access to data and computer programs. Since the location of the data,
information and their medium of access are located virtually, they can be
accessed by anyone having knowledge of the same. Thus, the risk of exposure
of confidential data is maximized because of this feature.
4. Concentration of duties. Segregation of duties are lessened or eliminated under
computerized systems due to its ability to process large amounts of data using
single workstation only.
5. Systems generated transactions. Some commands or programs encoded within
computerized systems tend to generate transactions automatically without
human intervention.
6. Vulnerability of data and program storage media. Having easy access to these
data and storage, tends to be abused and can be stolen.
Computerized systems are employed by businesses to process data into useful
information in order to avail of its advantages like consistency of processing, ability to
handle large amounts of data, and fast and accurate processing. Since business is
dependent to this innovation, there is a greater chance of abuse and fraud that could
take place within or around these computer systems. With that, entities are bound to
apply internal controls while using these investments. Since business applies internal
control, they can be subject to auditor’s consideration of internal control, especially if
the business totally relied on computerized system. Thus, there is a need for the
auditor to understand the internal control in a CIS environment.

3. INTERNAL CONTROL IN A CIS ENVIRONMENT

3.1 GENERAL CONTROLS – these are control policies and procedures that relate
to the overall computerized information systems. It also referred to as internal
controls intended to the elements of the computerized information system
(hardware, software, user, data and procedures).
a. Organization controls. It refers to the policies and procedures of the
entity to establish clear assignment of authority and responsibility. This is
the extension of segregation of duties for computerized information
systems. Organization controls has two aspects:
i. Segregation between CIS department and user department. The
CIS department should be separate from the user department:
users who facilitates the generation of data for input, and users
who uses the information generated from output.
ii. Segregation of duties within the CIS department. The CIS
department should be headed by an entity’s executive/manager,
who exercises control over the CIS operation. The CIS department
should be composed of different divisions segregated according to
their incompatible duties. Incompatible duties include, but not
limited to, systems analyst, programmer, computer operator, data
entry operator, librarian and control group.
b. Systems development and documentation controls. Entities
employing CIS should enforce policies and procedures that document
any changes in the system or program which includes proper
authorization before its implementation. Documentation includes the
system or program installed and its features.
c. Access controls. It refers to policies and procedures which regulates
the personnel who should have access to such information system. This
may cover actual designation of authorized personnel and the use of
user profiles and passwords. It also includes policies and procedures to
secure the hardware infrastructure from physical hard and abuse.
d. Data recovery controls. It refers to entity’s policies and procedures
which employs maintenance of back-up files and off-site storage
procedures in order to avoid total loss of data and information in cases of
disaster and unforeseen events.
e. Monitoring controls. It refers to entity’s policies and procedures of
ensuring that CIS controls are working effectively as designed and
implemented.
3.2 APPLICATION CONTROLS – these are control policies and procedures
that relate to the specific use of the system. It is also referred to as internal
controls intended to the components of data processing (input, processing, and
output).
f. Controls over input. It refers to controls designed to provide reasonable
assurance that data submitted for processing are complete, valid,
properly authorized, reasonable and accurately translated into machine-
readable form. Simply, this refers to control mechanism to ensure that
the CIS only accept valid data for processing into useful information.
These include, but not limited to:
i. Key verification – an input mechanism which requires data to be
entered twice, usually by two different personnel, to provide
assurance that there are no key entry errors committed.
ii. Field check – a mechanism which ensures that input data agree
with required field format. Example includes mobile phone number
must contain eleven digits starting with 09—any input of mobile
phone number that is more than or less than 11 digits will be
rejected.
iii. Validity check – a mechanism in which the inputted data shall then
be compared to another source to determine the authenticity of
the input before accepting the input to the process. Example of
which is the input of employee ID number and employee’s name in
which, before processing, compares first to the system’s master
list of all employees’ ID numbers and name, to determine whether
entered data combination (ID and name) is valid or existing.
iv. Self-checking digit – this is a mathematically-calculated digit which
is usually added to a document number to detect common
transposition errors in data submitted for processing.
v. Limit check or reasonableness check – a mechanism designed to
ensure that data submitted for processing do not exceed a
predetermined or reasonable amount. Example of which is the
maximum amount of withdrawal per transaction in an automated
teller machine (ATM) shall not be more than P10,000, thus inputs
amounted to more than P10,000 will not be processed.
vi. Control totals – these are totals computed based on data
submitted for processing. Control totals ensure the completeness
of data before and after they are processed.
1. Financial totals – sum of the peso amounts in the
documents/transactions
2. Hash totals – sum of the control numbers of the
documents/transactions
3. Record count – total number of documents/transactions
 g. Controls over processing. It refers to controls designed to provide
reasonable assurance that input data are processed accurately, and that
data are not lost, added, excluded, duplicated, or improperly changed,
every after process. Almost all input controls mentioned above,
especially control totals, are considered controls over processing.
h. Controls over output. It refers to controls designed to provide
reasonable assurance that the results are complete, accurate. It also
refers to controls designed to provide reasonable assurance that the
results generated are distributed only to the authorized personnel.
4. TEST OF CONTROL IN A CIS ENVIRONMENT
The internal controls in a CIS environment discussed previously will be the
additional concept that the auditor should consider when assessing control risk for
audit for a financial statement prepared with computerized information system. Aside
from the additional internal control element, once the auditor has documented his/her
understanding of the entity’s internal control and assessed the control risk at low level,
planning to rely on entity’s internal control when performing substantive test, the
auditor should perform a test of control to challenge whether the designed and
implemented internal control is really effective. However, test of control for entities with
CIS shall be performed with a different approach, since, CIS usually process data with
no audit trail to trace or walk-through. Still, the auditor’s objectives and scope of the
audit do not change in a CIS environment.
When performing test of control, the auditor should test the two aspects of
internal control in a CIS environment: general controls and application controls. When
testing the reliability of general controls, the auditor should perform combination of the
following: inquiry of relevant personnel involved in the CIS environment; observation
on client’s personnel in performing their duties and on security measures in force; and,
inspection of program documentation. In testing application controls, on the other
hand, the auditor may either perform audit around computer or use computer-
assisted audit techniques (CAATs).

5. AUDIT AROUND COMPUTER

Like testing control in a manual information system in which it involves
examination of documents and reports to determine the reliability of the system. When
using this approach, the auditor ignores the client’s data processing
procedures/system, focusing solely on the input and the CIS output. Audit around
computer, however, can be used only by auditors if there are visible input documents
and detailed output that will enable the auditor trace individual transactions back and
forth. This procedure is also known as “black box” approach.

6. COMPUTER-ASSISTED AUDIT TECHNIQUES (CAATS)

Generally, CAATs refers to data, procedure or software, which generally use
computer or computer-generated information, used to assist the auditor in performing
audit procedures which includes test of control and substantive tests. CAATS used in
testing application control focuses on testing the “process” aspect, rather than the input
and output, of the entity’s computer information systems. This technique is used when
the client’s CIS performs tasks which visible evidence or audit trail is not available.
Consequently, the auditor will have to audit directly the client’s computer program
using CAATs. This procedure is also known as “white box” approach.
Below are the commonly used CAATs by the auditor for testing application
controls:
CAATs Mechanics Advantage/s Disadvantage/s
Test data A technique which uses Cost of performing such The risk that the
DATA prepared by the procedure is very cheap version of the
auditor. The test data since the auditor only software provided by
consisted of valid and prepares data for input the client for testing is
invalid input transactions containing either valid or different or obsolete
and that the auditor uses it invalid conditions. from what is actually
to test on how correctly the used by the entity to
CIS handle valid and invalid generate their
conditions as they rise. A financial statement
copy of the software used under audit.
by the client shall be
obtained separately by the
auditor and administer the
testing in a separate
environment or away from
the actual operations of the
client’s CIS.
Integrated A technique in which the Remedies the disadvantage The risk that the
test facility auditor uses both DATA and of “test data” technique auditor might not able
(ITF) PROCEDURE to perform since the auditor integrates to reverse the
the said test of control. With the processing of test data inputted test
the same objective, the with actual processing of transactions in their
auditor creates dummy or ordinary transactions CIS thus
fictitious employee, or other without management being contaminating their
appropriate unit, while in aware of the testing information
discreet, test the entity’s CIS process, thus, provides generated.
using test data, and assurance that the
determine how the CIS program/software subjected
handle valid and invalid to test of control is the same
conditions. program/software actually
used by the client in
processing transactions
reflected in the financial
statement under audit.
Parallel A technique in which the Remedies the disadvantage The risk that the
simulation auditor uses SOFTWARE to of the “integrated test auditor’s program fails
perform such test. The facility” since the auditor to simulate the key
auditor is required to write a uses his/her own auditing features of the client’s
program that simulates key software and uses client’s program. Also,
features or processes of the previously processed data, performing parallel
program/software under thus avoiding the risk of simulation is very
review. The auditor then contaminating client’s expensive, thus can
uses the transactions information system. only be afforded by
previously processed by the large auditing firms.
client and inputs them in the
auditor’s program, thus
reprocessing them. The
auditor then compares the
output generated by his
 program against the output
generated by the client’s
program under review.
Parallel simulation can be
accomplished by using
Generalized Audit Software
(GAS) or purpose-written
programs.

The abovementioned CAATs are usually performed during a certain time during
audit planning. However, the auditor can agree with the client to integrate audit
software in the development of their CIS. This is to provide assurance that the
application controls are functioning effectively throughout the accounting period which
eventually leads to the preparation of the financial statement. These CAATs are
different compared to the above CAATs since these are integrated to the client’s CIS in
the first place, and that performs tests throughout the period. Other CAATs include:
1. SNAPSHOT. A software embedded in the client’s CIS which captures the
transactions generated/performed through the system and converts it into user-
readable format to be used by the auditor during the start of the audit
engagement.

2. SYSTEM CONTROL AUDIT REVIEW FILES (SCARF). A software embedded

in the client’s CIS which perform continuous monitoring of the system
transactions. Any transactions that are anomalous or contain potential risk of
material misstatement are virtually logged and compiled into a special computer
file for the auditor to examine.

Self-Help: You can also refer to the source below to help you further
understand the lesson.

*Cabrera, M.E.B. (2015). Systems controls and security measures in a computerized

accounting information system, Management Consultancy Principles and
Engagements (2015 Ed., pp. 733-745). Manila: GIC Enterprises & Co., Inc.

Let’s check

Activity 1. Multiple choice questions. Choose the letter of the best answer.
1. Which attribute below relates more to computer processing than manual
processing?
a. There is always an assurance that complete transaction trails useful for
audit purposes are preserved for indefinite purpose.
b. Control procedures as to segregation of functions may no longer be
necessary.
c. The likelihood of clerical errors is increased.
d. Similar transactions are uniformly subjected to similar instructions.

2. Manual elements in internal control may be more suitable where judgment and
discretion are required such as for the following circumstances (choose the
exception):
a. Circumstances where errors are difficult to define, anticipate or predict
b. In changing circumstances that require a control response outside the
scope of an existing automated control
c. In monitoring the effectiveness of automated controls
d. High volume or recurring transactions

3. Computer systems are typically supported by a variety of utility software

packages that are important to an auditor because they
a. May enable unauthorized changes to data files if not properly
controlled.
b. Are very versatile programs that can be used on hardware of many
manufacturers.
c. May be significant components of a client’s application programs.
d. Are written specifically to enable auditors to extract and sort data.

4. Using microcomputers in auditing may affect the methods used to review the
work of staff assistants because
a. The audit fieldwork standards for supervision may differ.
b. Documenting the supervisory review may require assistance of
consulting services personnel.
c. Supervisory personnel may not have an understanding of the
capabilities and limitations of microcomputers.
d. Working paper documentation may not contain readily observable
details of calculations.

5. General IT-controls do not include

a. Data center, network operations and hardware controls
b. Application system acquisition, development, and maintenance
c. Program changes and access security
d. Controls on procedures used to initiate, record, process and report
transactions or other financial data
6. Which function or activity is not performed in the user department?
a. Initiation and authorization of changes to computer records and files
b. Initiation of changes to current applications
c. Conversion of data to machine-readable format
d. Correction of errors on transactions

7. The management of ABC Co. suspects that someone is tampering with pay
rates by entering changes through the Co.’s remote terminals located in the
factory. The method ABC Co. should implement to protect the system from
these unauthorized alterations to the system’s files is
a. Batch totals c. Passwords
b. Checkpoint recovery d. Record count

8. Which of the following passwords would be most difficult to crack?

a. 1stSMURF>?Vladz c. 12 HOUSE 24
b. Ambotsimu d. pass56word

9. Which is most likely correct about “whitebox audit” or “auditing through the
computer”?
a. It is more appropriate for a system that performs relatively
uncomplicated processes and produces detail output.
b. It does not detect program errors which do not show up in the output
sampled.
c. It permits no direct assessment of actual processing
d. The focus is more on the processing rather than the input and output
components of the system.

10. Which of the following is an example of auditing “around” the computer?

a. The auditor traces adding machine tapes of sales order batch totals to
a computer printout of the sales journal.
b. The auditor develops a set of hypothetical sales transactions and, using
the client’s computer program, enters the transactions into the system
and observes the processing flow.
c. The auditor enters hypothetical transactions into the client’s processing
system during client’s processing of live data.
d. The auditor observes client personnel as they process the biweekly
payroll. The auditor is primarily concerned with computer rejection of
data that fails to meet reasonableness limits.

11. When an auditor tests a computerized accounting system, which of the

following is true of the test data approach?
a. Several transactions of each type must be tested.
 b. Test data are processed by the client’s computer programs under the
auditor’s control.
c. Test data must consist of all possible valid and invalid conditions.
d. The program tested is different from the program used throughout the
year by the client.

12. An auditor most likely would introduce test data into a computerized payroll
system to test controls related to the
a. Existence of unclaimed payroll checks held by supervisors
b. Early cashing of payroll checks by employees
c. Discovery of invalid employee I.D. numbers
d. Proper approval of overtime by supervisors

13. An ITF would be appropriate when the auditor needs to

a. Trace a complex logic path through an application system
b. Verify processing accuracy concurrently with processing
c. Monitor transactions in an application system continuously
d. Verify load module integrity for production programs

14. Which of the following methods of testing application controls utilizes a

generalized audit software package prepared by the auditors?
a. Parallel simulation c. Integrated test facility
b. Exception report tests d. Test data approach

15. Which of the following combinations is correct?

Integrated test facility Test data Parallel simulation
a. test data, live program test data, test program live data, test program
b. live data, live program live data, test program test data, test program
c. live data, test program test data, test program test data, test program
d. test data, live program test data, live program live data, test program

16. Which of the following input controls describes a “self-checking digit”?

a. Data need to be entered twice to assure no commitment of error
b. Data need to be in a required field format field check
c. Data need to be complete before and after processing
d. Data need to be added with a mathematically calculated digit to detect
transposition errors

17. Which of the following is an example of a validity check?

a. The computer ensures that a numerical amount in a record does not
exceed some predetermined amount.
b. As the computer corrects errors and data are successfully resubmitted
to the system, the causes of the errors are printed out.
 c. The computer flags any transmission for which the control field value
did not match that of an existing file record.
d. After data for a transaction are entered, the computer sends certain
data back to the terminal for comparison with data originally sent.

18. A customer intended to order 100 units of product Z96014, but incorrectly
ordered non-existent product Z96015. Which of the following controls most
likely would detect this error?
a. Check digit verification c. Hash total
b. Record count d. Redundant data check

19. The employee entered “40” in the “hours worked per day” field. Which check
would detect this unintentional error?
a. Numeric/alphanumeric check c. Limit check
b. Sign check d. Missing data check

20. An auditor who wishes to capture an entity’s data as transactions are

processed and continuously test the entity’s computerized information system
most likely would use which of the following techniques?
a. Snapshot application c. Integrated data check
b. Embedded audit module d. Test data generator