Audit in CIS Environment

What are Computerized Information Systems?

Computerized Information Systems (CIS) is the

application of technology in managing the needs
of businesses

It is a system that is composed of people and

computers that processes or interprets information.
CIS vs Manual
Accounting
Manual Accounting
Computerized Accounting
Characteristics of Computerized Accounting Systems

• Lack of Visible Transaction Trail

• Consistency of Performance
• Ease of Access to Data and Computer Program
• Concentration of Duties
• System Generated Transactions
• Vulnerability of Data and program storage media
 Internal Control in a CIS Environment

Internal controls are the mechanisms, rules, and procedures

implemented by a company to ensure the integrity of financial
and accounting information, promote accountability, and
prevent fraud.
Internal Control in a CIS Environment

General Controls

Application Controls
General Controls

 Organizational Controls
 Systems Development and Documentation Control
 Access Controls
 Data Recovery Controls
 Monitoring Controls
General Controls

1. Organizational Controls

a. Segregation of duties between the CIS department and the

user department.

b. Segregation of duties within the CIS department

Segregation of duties within the CIS department

• CIS Director - governs all CIS operation

SYSTEMS DEVELOPMENT TEAM

• Systems Analyst - design and develop

software and computer systems. They
also improves existing systems.
(Formulation and thinking)

• Programmer – guided by the

specification of system analysts
responsible for implementing designs
by writing computer programs.
(Execution of the program)
Segregation of duties within the CIS department

COMPUTER OPERATIONS TEAM

• Data Entry Operator - prepares and

verify input data for processing

• Computer Operator- operates the

computer to process transactions
Segregation of duties within the CIS department

OTHER FUNCTIONS

• Librarian - maintains custody of systems

documentation , programs, and files

• Control Group- review input

procedures, monitor computer
processing, follows up data processing
error etc. (Audit)
General Controls

2. Systems Development and Documentation Control

• The accounting software developed by the systems development

team must be tested, modified and approved by the appropriate
level of management

• There should be proper system documentation

General Controls

3. Access Control

• Systems should have adequate security controls The computer

should only be accessed by authorized individuals
General Controls

4. Data Recovery Control

• Data recovery is the process of restoring data that has been lost,
accidentally deleted, corrupted or made inaccessible. In
enterprise IT, data recovery typically refers to the restoration
of data to a desktop, laptop, server or external storage system
from a backup
General Controls

5. Monitoring Controls

• Ensures that CIS Controls are working effectively as

planned .
Internal Control in a CIS Environment

General Controls

Application Controls
Transaction Processing in CIS Environment

Process
Input
(User)
(Computer/ Output
Program)
Application Controls

 Input Controls
 Processing Control
 Output Control
Application Controls
1. Input Controls
 Key Verification
 Field Check
 Integrity test/ Validity Check
 Self Checking Digit/Check Digit
 Limit Check
 Control Totals /Batch Input Totals
 Financial Totals
 Hash Totals
 Record Counts
Batch Processing vs Real time processing
Batch Processing vs Real time processing
Application Controls

2. Processing Controls
 Integrity test/ Validity Check (input control)
 Sequence Test
 Input Control totals verification (Input control)
 Label Check
 Limit and Reasonable checks (input control)
 Matching Control
Application Controls
3. Output Controls
 Visual review of the output
 Output comparison to original documents
 Output distribution control (authorized people
only)
Methods for Audit Computerized Information System (CIS)

 Auditing around the computer (Blackbox Approach)

 Auditing through the computer (White Box

Approach/CAATS)
Auditing through the computer

CAATs - Computer-Assisted Auditing Techniques

I. Program Testing
a. Historical Audit Techniques
b. Continuous Audit techniques
II. Program Analysis

III.Review of operating system and other system

software
Auditing through the computer

I. Program Testing
a. Historical Audit Techniques

 Test Data Approach

 Integrated Test Facility
 Parallel Simulation
 Controlled Reprocessing
Test Data Approach
Test Data Approach
Integrated Test Facility (Embedded Audit Module Approach)
Parallel Simulation
Parallel Simulation
Parallel Simulation
Parallel Simulation
Controlled Reprocessing

A variation of parallel simulation, it involves processing of

actual client data through a copy of the client’s
application program
Controlled Reprocessing

CONTROLLED REPROCESSING

Client’s
Program
Copy
Auditing through the computer
CAATs - Computer-Assisted Auditing Techniques

I. Program Testing
a. Historical Audit Techniques
b. Continuous Audit techniques
II. Program Analysis
III. Review of operating system and other system
software
Auditing through the computer

I. Program Testing
b. Continuous audit techniques (Concurrent Auditing)

 Audit Modules
 Systems control audit review files (SCARFs)
 Audit Hooks
 Transaction tagging
 Extended records
Audit Modules

Audit modules – an audit system that is inserted into the client's

system so that it can apply audit procedures to data as it is being
processed
System Control Audit Review Files - SCARF

 It involves embedding audit software modules within a host

application system (client’s program) to provide continuous
monitoring of the system’s transactions (logs)

 log that collects transaction information for subsequent review

and analysis by the auditor
Audit Hooks

Audit hooks are embedded in application system to capture exceptions or

suspicious transactions

The software tags transactions reports (list) are immediately generated

and sent to the auditors
Transaction Tagging

Transaction tagging is where a transaction record is "tagged" and then

traced through critical points in the information system
Extended Records

This technique attaches additional audit data which would not otherwise
be saved to regular historic records and thereby helps to provide a more
complete audit trail
Auditing through the computer

II. Program Analysis

 Code Review
 Comparison Programs
 Program Tracing and Mapping
 Flowcharting software
 Snapshot
Code Review

 This involves
actual analysis of
the logic of the
program’s
processing
routines.
Comparison Programs

 Programs that
allow the auditor
to compare
computerized
files
Program tracing and mapping

 Tracing is a technique in
which each instruction
executed is listed along
with control information
impacting that instruction.
 Mapping identifies sections
of code that can be
“entered” and thus are
executable.
Flowcharting software

 Used to produce a
flowchart of a
program’s logic and
may be used both
in mainframe and
microcomputer
environments.
Snapshots

 Snaps (pictures)
are taken when a
transaction
moves through
the various stages
in the application
system
Auditing through the computer

III. Review of operating system and other system

software

 Job Accounting Data/ Operating Systems Logs

 Library Management Software
 Access Control and Security Software
Job Accounting Data/ Operating Systems Logs

 These logs that track particular functions (job). The auditor may
be able to use them to review the work processed, to determine
whether unauthorized applications were processed and to
determine that authorized applications were processed properly
Library Management Software

 This creates logs of activities occurring in the data library. These

library logs contain information on the programs, data files
accessed, changes made to programs.

 This also provide other security or access control functions, which

could include encryption or, more frequently, the use of
passwords to restrict access to programs in the library.
Access Control and Security Software

 This restricts access to computers to authorized personnel

through techniques such as only allowing certain users with
“read-only” access or through use of an encryption
Computerized Audit Tools

 Generalized audit software

 Automated workpaper software
 Electronic spreadsheets
 Database management systems
 Text retrieval systems
 Word processing software
Generalized audit software

Package programs (generalized audit software)

1. Reading and extracting computer files

2. Selecting samples (criteria)
3. Performing calculations (recalculations)
4. Creating data files
5. Printing reports in an auditor-specified format
Automated Workpaper Software

Designed to generate a trial balance, lead schedules, and

other reports useful for the audit. The schedules and reports
can be created once the auditor has either manually entered or
electronically imported through using the client’s account
balance information into the system
Electronic Spreadsheets

Contain a variety of predefined mathematical operations and

functions that can be applied to data entered into the cells of a
spreadsheet
Database management systems

Database management software manages the creation,

maintenance, and processing of information. The data are
organized in the form of predefined records, and the database
software is used to select, update, sort, display, or print these
records
Database management systems - Examples
Text Retrieval Systems

Text retrieval systems allow the user to view any text that is
available in an electronic format.
Text Retrieval Systems
Word Processing Software

Word processing is the use o f computer software to produce a

text manuscript.
Word Processing Software