Audit under Computerized Information System (CIS)

Environment
Scope of Audit in a CIS Environment
(1) High speed - information can be generated very quickly. Cut down the time. Enables the
auditor to extend their analytical review. Auditor can expand their substantive procedures for
collection of more evidence in support of their judgement.
(2) Low clerical error - Systematic and sequential programmed course of action. Commission of
error is considerably reduced. Clerical error is highly minimized.
(3) Concentration of duties - Separate individuals = 1 Individual. Computer programs perform
more than one set of activities at a time thereby concentrating the duties of several personnel
involved in the work.
(4) Shifting of internal control base
(i) Application systems development control - Designed to provide reasonable assurance that
they are developed in an authorised and efficient manner, to establish control, over:
Implementation(
(
Conversion(
(
Testing(and((
Changes(to(( (
application( Acquisition(of(( Documentation(( Access(to(system(
( documentation
system application(
system(( of(new(revised(
from(third(parties( system
(ii) Systems software control - Designed to provide reasonable assurance that system software
is acquired or developed in an authorised and efficient manner including:

Implementation(
(
Conversion(
(
Testing(and((
( Putting(restriction(of(access(to((
Authorization+ 1.(system(software(and((
! 2.(documentation((
of(new(system( to(authorized(personnel
software+modifications!

(5) Disappearance of manual reasonableness - Detailed analysis of the physical system for
transformation into a logical platform. Logical models deletes many stages required under manual
operations to create a focused computer system.
In such creative effort, the manual reasonableness may be missing.
(6) Impact of poor system - If system analysis and designs falls short of expected standard of
performance, a CIS environment may do more harm to integrated business operation than good.
Thus, take care and precaution
(7) Exception reporting - Part of MIS. Exception Reporting is a departure from straight reporting
of all variables. Reported if it lies outside some pre-determined normal range. Main strength is
recognition that to be effective, information must be selectivity provided.
(8) Man-machine interface / human-computer interaction
Organisation concentrated on presenting information in the most uncluttered way to users.
Determine what information was necessary to achieve.
 Impact(of(Changes(on(Business(Processes

Primary(Changes( Recent(Changes(

Mainframes!TO(mini/micro!users.!
Earlier!recording!was!completed!
by!Use(of(looseCleaf(stationeries.( Proprietary!operating!system!TO(
more!universal!ones!like!UNIX,!
LINUX,!Programming!in!'C'!etc.!
Now!Process(of(recording( Common!business!documents!TO
transactions(has!gonethrough a! paperless!EDI!
change.
Conventional!data!entry!TO(
scanner,!digitized!image!
Use(of(accounting(code( processes,!voice!recognition!
system!etc.!
RDBMS!are!increasingly!being!
Thus!changing!the!Form(of( used.!
accounting(records from!manual!
records!to!automated!through! Use of!CASE!tools!by!many!
Punch!card!installation!or! organisation.!(SDLC)
electronic!data!processor. Increasing!need!for!data!
communication!and!networking
Absence(of(link(between( End!user!computing!is!on!the!
transaction( increase!resulting!in!
decentralized!data!processing.!
The impact of all such change on auditing may be summarised as:
(a) wide-spread end-user computing may result in unintentional errors creeping into systems
owing to inept handling. Also coordinated program modification may not be possible.
(b) improper use of DSS can have serious repercussion. Also their underlying assumption must be
clearly documented.
(c) Usage of sophisticated audit software would be a necessity.
(d) Auditors non-participation at System Development Life Cycle State (SDLC) pose considerable
problem in understanding the operational controls.
(e) Data communication and networking would introduce new audit risk.
(f) The move toward paperless EDI would eliminate much of the traditional audit trail radically
changing the nature of audit trails.
Audit Approaches in a CIS Environment
A Black-box approach i.e., Auditing around the computer, or

A White-box approach i.e., Auditing through the computer.

Effect of Computers on Internal Controls

Segregation of Duties
Delegation of Authority and Responsibility Management ee 100 competent & trustworthy
personnel ne hire karya.
Competent and Trustworthy Personnel
Adequate Documents and Records
50 ne kidhu ke adequate documents ane
System of Authorisation records maintain karo ne authorisae karo.
Physical Control over Assets and Records 50 ne kidhu ke physical control over assets &
Comparing Recorded Accountability with reocrds rakho.
Assets Ame compare karsu recorded accountability
Adequate Management Supervision with assets.

Independent Checks On Performance Supervision & Independent Checks on

Performance bhi rakhsu.
 Effects(of(Computers(on(Auditing(

Changes(to(Evidence(Collection( Changes(to(Evidence(Evaluation(

Collecting!evidence!on!the!reliability!of!a!
computer!system!VS collecting!evidence!
on!the!reliability!of!a!manual!system.! Evaluate!the!consequences!of!strength!
and!weaknesses!of!control!mechanism!
for!placing!overall!reliability!on!the!
Auditors!face!complex controls!like: system.!
Disk!drive!may!require!a!set!of!hardware! Auditors!need!to!understand
controls!not!required!in!manual!system,! Whether!a!control!is!functioning!reliably?
System!development!control not! Traceability!of!control!strength!and!
necessary!in!manual!control.! weakness!through!the!system
Errors!in!computer!system!
Hardware!and!Software!develop!quite! 1. tend!to!be!deterministic,!i.e.,!an!
rapidly. Unless!auditor's!keep!up,!it!will! erroneous!program!will!always!execute!
become!difficult!to!evaluate!the!reliability! data!incorrectly.!
systems
2.!Errors!are!generated!at!high!speed
Collection!of!audit!evidence!through!
digital!means!difficult!due!to! 3.!Cost!and!effort!to!correct!and!rerun!
Development!of!control!technology! program!may!be!high.!
Collection!of!audit!evidence!through! 4.!Errors!in!computer!program!involve!
manual!means!is!not!possible.! extensive!redesign!and!reprogramming.!
Hence,!auditors!have!to!run!through! Such!internal!controls!should!be!designed!
computer!system!themselves!to!collect! implemented!and!operated!that!ensure!
the!necessary!evidence.! reliability.!
Generalized!audit!softwares, available!yet! The!auditors!must!ensure!that!these!
not!not!relaible.! control!are!in!existence,!functioning and!
sufficient.
Often!auditors!forced!to!compromise!in!
some!way!in!evidence!collection!
Internal Controls in a CIS Environment

Basic!
components!in!a!
CIS!environment

Transmission!
Hardware! Software! People!
media!

C - Completeness Control

A - Authenticity Control
- Accuracy Control
- Audit Trail Control
- Asset Safeguarding Control

R - Redundancy Control

P - Privacy Control

E - Existence Control
- Effectiveness Control
- Efficiency Control

T
Consideration of Control Attributes by the Auditors
Existence Whether the control is in place and is functioning as desired.

Nature Generality versus specificity of the control

General Control Reduce the effect of a wide variety of errors and
irregularities

Specific Control Reduce the effect of a narrow variety of errors and

irregularities

Task Whether the control acts to prevent, detect or correct errors. The auditor
focuses here on-
(i) Preventive controls: Stop errors or irregularities from occurring.
(ii) Detective controls: Identify errors and irregularities after they occur.
(iii) Corrective controls: Remove effects of errors and irregularities after they
have been identified.
Higher preventive controls Early stages of processing
More detective & corrective controls Later stages in system processing

Components The number of components used to execute the control. Multi-component

controls are more complex and more error prone but they are usually used to
handle complex errors and irregularities.
 Organisation(and( Purpose:!Establish!an!org!framework!for!CIS!activities!including:!
Management( (a)! Policies!and!procedures!relating!to!control!functions.!
Control( (b)! Appropriate!segregation!of!incompatible!functions.!

Application(System(
Development(and( Refer Diagram!1
Maintenance(
Control(
Internal(Control(Requirement(under(CIS(Environment(

System(Software( Refer!Diagram 2
Control(

Purpose!:!control!the!operation!of!the!system!&!provide!reasonable!assurance!
that:!
Computer(Operation( (a)! the!systems!are!used!for!authorised!purposes!only.!
Controls( (b)! Restricted!access!of!computer!operation!to APersonnel
(c)! only!authorised!programs!are!to!be!used.!
(d)! processing!errors!are!detected! and!corrected.!

Purpose: Provide!reasonable!assurance:!
Data(Entry(and( (a)! an!authorisation!structure!established over!transaction!sentry!into!system
Program(Control (b)! access!to!data!and!program!is!restricted!to!AP.!

Purpose: Provide!reasonable!assurance:!
(a)! transactions! properly!authorised!before!being!processed!by!the!computer.!
(b)! transactions! conv!into!machine!readable!form!&!recorded!in!the!comp!data!
Control(over(Input( files.!
(c)! transaction!not!lost,!added,!duplicated!or!improperly!changed.!
(d)! incorrect!are!rejected,!corrected!and!if!necessary,!resubmitted!on!a!timely!
basis.!

Purpose: Provide!reasonable!assurance:!
Control(over( (a)! transactions!are!properly!processed!by!the!computer.!
Processing(and( (b)! transaction!are!not!lost,!added!duplicated!or!improperly!changed.!
Computer(Data(Files (c)! processing!errors!are!identified!and!corrected!on!a!timely!basis.!

Purpose: Provide!reasonable!assurance:!
(a)! results!of!processing!are!accurate.!
Control(over(Output( (b)! access!to!output! is!restricted!to!authorised!personnel.!
(c)! output!is!provided!to!appropriate!authorised!personnel!on!a!timely!basis.!

(a)! Offsite!backJup!of!data!and!program.!
(b)! Recovery!procedures!for!use!in!the!event!of!theft,!loss!or!intentional!or!
Other(Safeguards( accidental!destruction.!
(c)! Provision!of!offsite!processing!in!the!event!of!disaster.!
!
!

Auditing(in(a(CIS(Environment(

Skill(and(
Planning( Risk( Risk(Assessment(
Competence(

SA!315!:!Assessment!of!
inherent!&!control!risk!
Auditors! for!material!financial!
understanding!the! statement!assertions.!
process!would!include!
An!auditor!should!have! Risk!may!result!from!
(a)! The!CIS! deficiencies!inJ
sufficient!knowledge!of! infrastructure! Lack!of!Transaction!
the!CIS!to!plan,!direct,! (components).! Trails! (a)! Program!
supervise!control!and! development!and!
review!the!work! (b)! The!significance! Uniform!processing!of! maintenance;!
performed.! (materiality!of!the! Transactions!
financial!statement! (b)! System!software!
Lack!of!Segregation!of! support;!
assertions!affected!by! functions!
The!sufficiency!of! the!computerized! (c)! Operations;!
knowledge!would! processing)!and! Potential!for!errors!
depend!on!the!nature! complexity!of! and!Irregularities! (d)! Physical!CIS!
and!extent!of!the!CIS! computer!processing! Initiation!or!Execution! security;!
environment.! in!each!application,! of!Transactions! (e)! Control!over!access!
(c)!Organizational! Dependence!of!Other! to!specialized!utility!
structure!of!the!client;! Controls!over! programs.!
The!auditor!should!
consider!whether!any! (d)!Extent!of! Computer!Processing! Negative!impact!on!all!
specialized!CIS!skills! availability!of!data!by! Increased! application!systems!
are!needed!in!the! reference!to!source! management! that!are!processed!
conduct!of!the!audit.!If! documents,!computer! Supervision! through!the!computer.!
the!answer!is!in! files!and!other! Risk!may!also!increase!
affirmative!the!auditor! Use!of!Computer!J
evidential!matters.! Assisted!Audit! the!potential!for!errors!
would!seek!the! or!fraudulent!activities!
assistance!of!an!expert! Techniques!
inJ
possessing!such!skills.! to!plan!the!audit!&!
determine!nature,! (a)! Specific!
timing!&!the!extent!of! applications,!
audit!procedures.! (b)! Specific!data!base!
or!master!files,
(c)! Specific!processing!
 Review(of(Checks(and(Controls(in(a(CIS(Environment((I)(

Organization( Documentation(
Access(Control( Input(Controls(
Structure(/(Control( Control(

PreJprinted!form!
Check!Digit!
Completeness!Totals!
(i)!Batch!Control!Totals
Segregation!Controls! (ii)! Batch!Hash!Total
Limited!Physical!Access!to! (iii)!Batch!Record!Totals
Data!Administrator the!computer!Facility! (iv)!Sequence!Checks!
Documentation!ordinarily!
Database!Administrator assumes!the!following!form:! Visitor!entry!Logs Reasonableness!Checks!
System!Analyst (a)! A!system!flowchart;! Hardware!and!Software! Field!Checks
access!controls!
System!Programmers (b)! A!program!flowchart;! (i)! Missing!data!/!blank
(c)! Program!change;! Hardware!and!Software!
Application!Programmer (ii)! Alphabetic!/!Numeric
access!controls!
Operation!Specialist (d)! Operator!instructions;! (iii)! Range!
Call!back!
Librarian (e)! Program!description (iv)!Master!Reference!
Encryption!
(v)!Size!
Computer!Application!
Controls! (vi)!Format!Mask!
Record!Checks
Reasonableness!
(ii)! ValidJSignJNumeric
(iii)! Size
File!Checks!
!
!

Review(of(Checks(and(Controls(in(a(CIS(Environment((II)(

Processing(Controls( Recording(Control( Storage(Control( Output(Control(

Physical!Protection!against!
Overflow Erasure
Range External!Label
Error!Log
Sign!Test Magnetic!Labels
Transaction!Log!!
Cross! Footing File!BackJup!Routines
RunJtoJRun!Control! Database!BackJup!routines
Cryptographic!Storage!
Computer Assisted Audit Techniques (CAATS)
Traditional Audit CIS Audit
Overall objectives and scope Same
of an audit
Application of auditing Old CAAT
procedures

Computer Assisted Audit Techniques (CAATs) use the computer as an audit tool for enhancing the
effectiveness and efficiency of audit procedures.
CAATs are computer programs and data that the auditor uses as part of the audit procedures to
process data of audit significance, contained in an entitys information systems.

Uses of CAATs - CAATs may be used in performing various auditing procedures, including the
following:

Nature Example
tests of details of transactions and balances use of audit software for recalculating interest
or the extraction of invoices over a certain
value from computer records
tests of general controls testing the set-up or configuration of the
operating system or access procedures to the
program libraries or by using code comparison
software to check that the version of the
program in use is the version approved by
management
tests of application controls testing the functioning of a programmed control
analytical procedures identifying inconsistencies or significant
fluctuations
sampling programs to extract data for audit testing

re-performing calculations performed by the entitys accounting systems

 Audit(Software(

System!
Package! Purpose[Written!
Utility!Programs! Management!
Programs! Programs!
Programs

perform!audit!
Generalized! tasks!in!specific! Not!specifically!
computer! circumstances.! designed!for!
Not!designed!for! auditing!use
programs! audit!purposes,!
1.!Developed!by!
designed!to! so!doesnt!
the!auditor,!
perform! contain!features!
2. Entity!being! such!as!
data!processing!
audited! automatic! Enhanced!
functions,!
3.!Hired!outside! record!counts!or! productivity!
such!as! tools, part!of!a!
programmer! control!totals.!
reading!data,! sophisticated!
common!data! OSenvironment,!
selecting!and!
Auditor!may!use! processing!
analyzing!
an!entity's! functions,!
information,!
performing! existing!
calculations,! programs!in! such!as! for!example,!
creating!data! original!or! data!retrieval!
files!and! modified!state!if! sorting,!creating! software!or!code!
reporting!in!a! more!efficient! and!printing! comparison!
format!specified! than!developing! files.! software.!
by!the!auditor.! independent!
programs.!
 Considerations(in(the(Use(of(CAATs(

IT!knowledge,!
Availability!of!CAATs,
expertise!and! Impracticability!of! Effectiveness!and!
suitable!computer! Time!constraints!
experience!of!the!audit! manual!tests! efficiency!
facilities!&!data!
team!

CAAT's!are efficient!
means!of!testing!
Auditing!in!a!CIS! transactions!or!
environment!deals! Use!of!CAATs!on!an! controls!by:!
with!the!level!of!skill! entitys!computer!is!
and!competence!the! uneconomical!or! analyzing!and!
audit!team!needs!to! impractical!(Ex.! selecting!samples!
conduct!an!audit!in!a! incompatibility! from!a!large!volume! Certain!data are!often!
cis!environment.! between!the!auditors! of!transactions;! kept!for!a!short!time!
package!program!and! Some!audit! applying!analytical! and!may!not!be!
It!provides:!
entitys!computer. procedures!not! procedures;!and! available!in!machine[
1.!guidance!when!an! possible!to!perform! readable!form!later.!
auditor!delegates! manually!because! performing!
substantive! Thus,!the!auditor!will!
work!to!assistants! So,!auditor!use!other! they!rely!on:
procedures. need!to:!
with!CIS!skills! computer!facilities.! 1.!complex!processing! 1.!make arrangements!
2.!auditor!uses!work! Auditor!may!use!their! 2.!large!amounts!of! Matters!considered! for!the!retention!of!
performed!by!other! own!facilities,!such!as! data!that!would! by!auditor!:! data!
auditors!or!experts! pcs!or!laptops.! overwhelm!any! 2. alter!the!timing!of!
with!such!skills.! the!time!taken!to!
manual!procedure.! the!work
plan,!design,!execute!
The!cooperation!of! and!evaluate!CAAT;! Where!the!time!
Specifically,!the!audit! the!entitys!personnel! In!many!CIS!tasks,!no! technical!review! available!to!perform!
team!should!have! required!to!provide! hard!copy!evidence!is! and!assistance!hours;! an!audit!is!limited,!the!
sufficient!knowledge! processing!facilities!at! available.! auditor!may!plan!to!
to!plan,!execute!and! a!convenient!time,!to! designing!and!
Impracticable!for!the! use!CAAT!because!it!
use!the!results!of!the! assist!with!activities! printing!of!forms!
auditor!to!perform! meets!auditor's!time!
particular!CAAT! such!as!loading!and! (confirmations)
tests!manually. requirement!better!
adopted.! running!of!CAAT!on! availability!of! than!other!possible!
The!level!of! the!entitys!system,! computer!resources.! procedures.!
knowledge!required! and!to!provide!copies!
depends!on! of!data!files!in!the! The!initial!planning,!
availability!of!CAATs! format!required!by! design!and!
and!suitable! the!auditor.! development!of!CAAT!
computer!facilities.! will!usually!benefit!
audits!in!subsequent!
periods.!

!
Using CAATs
Testing CAAT - The auditor should obtain reasonable assurance of the integrity, reliability,
usefulness, and security of CAAT through appropriate planning, design, testing, processing and
review of documentation. This should be done before reliance is placed upon CAAT. The nature,
timing and extent of testing are dependent on the commercial availability and stability of CAAT.
Controlling CAAT Application - The specific procedures necessary to control the use of CAAT
depend on the particular application. In establishing control, the auditor considers the need to:
.! (a) approve specifications and conduct a review of the work to be performed by CAAT;
.! (b) review the entitys general controls that may contribute to the integrity of CAAT, for
example, controls over program changes and access to computer files. When such
controls cannot be relied on to ensure the integrity of CAAT, the auditor may consider
processing CAAT application at another suitable computer facility; and
.! (c) ensure appropriate integration of the output by the auditor into the audit process.
Procedures carried out by the auditor to control CAATs applications may include: (a)
participating in the design and testing of CAAT;