CHAPTER28

AUDITINGINACOMPUTERINFORMATIONSYSTEMS
(CIS)ENVIRONMENT
Questions
1.

Additional planning items that should be considered when computer processing

is involved are:

2.

The extent to which the computer is used in each significant accounting

application.
The complexity of the computer operations used by the entity,
including the use of an outside service center.
The organizational structure of the computer processing activities.
The availability of data.
The computer-assisted audit techniques to increase the efficiency of
audit procedures.
The need for specialized skills.

Understanding the control environment is a part of the preliminary phase of

control risk assessment. Computer use in data processing affects this
understanding in each of the parts of the control environment as follows:
The organizational structure should include an understanding of the
organization of the computer function. Auditors should obtain and evaluate: (a)
a description of the computer resources and (b) a description of the
organizational structure of computer operations.
Methods used to communicate responsibility and authority should include the
methods related to computer processing. Auditors should obtain information
about the existence of: (a) accounting and other policy manuals including
computer operations and user manual and (b) formal job descriptions for
computer department personnel. Further, auditors should gain an understanding
of: (a) how the clients computer resources are managed, (b) how priorities for
resources are determined and (c) if user departments have a clear understanding
of how they are to comply with computer related standards and procedures.
Methods used by management to supervise the system should include
procedures management uses to supervise the computer operations. Items that

28-2 Solutions Manual Public Accountancy Profession

are of interest to the auditors include: (a) the existence of systems design and
documentation standards and the extent to which they are used, (b) the existence
and quality of procedures for systems and program modification, systems
acceptance approval and output modification, (c) the procedures limiting access
to authorized information, (d) the availability of financial and other reports and
(e) the existence of an internal audit function.
3.

The audit trail is the source documents, journal postings and ledger account
postings maintained by a client in order to keep books. These are a trail of the
bookkeeping (transaction data processing) that the auditor can follow forward
with a tracing procedure or back ward with a vouching procedure.
In a manual system this trail is usually visible to the eye with posting
references in the journal and ledger and hard-copy documents in files. But in a
computer system, the posting references may not exist, and the records must be
read using the computer rather than the naked eye. Most systems still have
hard-copy papers for basic documentation, but in some advanced systems even
these might be absent.

4.

The audit trail (sometimes called management trail as it is used more in daily
operations than by auditors) is composed of all manual and computer records
that allow one to follow the sequence of processing on (or because of) a
transaction.
The audit trail in advanced systems may not be in a human-readable form and
may exist for only a fraction of a second.
The first control implication is that concern for an audit trail needs to be
recognized at the time a system is designed. Techniques such as integrated test
facility, audit files and extended records must be specified to the systems
designer. The second control implication is that if the audit trail exists only
momentarily in the form of transaction logs or master records before destructive
update, the external auditor must review and evaluate the transaction flow at
various times throughout the processing period. Alternatively, the external
auditor can rely more extensively on the internal auditor to monitor the audit
trail.

5.

Major characteristics:
1.
2.
3.

Staff and location of the computer operated by small staff located within
the user department and without physical security.
Programs supplied by computer manufacturers or software houses.
Processing mode interactive data entry by users with most of the master
file accessible for inquiry and direct update.

Control Problems:

Auditing in a Computer Information Systems (CIS) Environment

1.
2.
3.
4.
5.
6.
7.

28-3

Lack of segregation of duties.

Lack of controls on the operating system and application programs.
Unlimited access to data files and programs.
No record of usage.
No backup of essential files.
No audit trail of processing.
No authorization or record of program changes.

6.

Auditing through the computer refers to making use of the computer itself to test
the operative effectiveness of application controls in the program actually used
to process accounting data. Thus the term refers only to the proper study and
evaluation of internal control. Auditing with the computer refers both to the
study of internal control (the same as auditing through) and to the use of the
computer to perform audit tasks.

7.

Both are audit procedures that use the computer to test controls that are included
in a computer program. The basic difference is that the test data procedure
utilizes the clients program with auditor-created transactions, while parallel
simulation utilizes an auditor-created program with actual client transactions. In
the test data procedure the results from the client program are compared to the
auditors predetermined results to determine whether the controls work as
described. In the parallel simulation procedures the results from the auditor
program are compared to the results from the client program to determine
whether the controls work as described.

8.

The test data technique utilizes simulated transactions created by the auditor,
processed by actual programs but at a time completely separate from the
processing of actual, live transactions. The integrated test facility technique is
an extension of the test data technique, but the simulated transactions are
intermingled with the real transactions and run on the actual programs
processing actual data.

9.

User identification numbers and passwords prevent unauthorized access to

accounting records and application programs. The transaction log does not
prevent unauthorized access but may be reviewed to detect unauthorized access.
Even then, responsibility could not be traced to a particular individual without
user identification numbers and passwords. The transaction log is more
important to establish the audit trail than to detect unauthorized access.

10. Generalized audit software is a set of preprogrammed editing, operating, and

output routines that can be called into use with a simple, limited set of
programming instructions by an auditor who has one or two weeks intensive
training.

28-4 Solutions Manual Public Accountancy Profession

11.
1.
2.
3.
4.
5.
6.
7.

Phases
Define the audit objectively
Feasibility
Planning
Application design
Coding
Testing
Processing

8. Evaluation

Noncomputer auditor involvement

Primary responsibility
Evaluate alternatives
Review with computer auditor
none
none
Review final test results, compare to plan
Actual computer processing none
Use of results depends on application
8. Full responsibility
1.
2.
3.
4.
5.
6.
7.

12. Automated microcomputer work paper software generally consists of trial

balance and adjustment worksheets, working paper (lead schedule) forms, easy
facilities for adjusting journal entries, and electronic spreadsheets for various
analyses.
13. A microcomputerized electronic spreadsheet can be used instead of paper and
pencil to create the form of a bank reconciliation, with space provided for text
lists of outstanding items (using the label input capability), and math formulas
inserted for accurate arithmetic in the reconciliation. Printing such a
reconciliation is easy (and much prettier than most accountants handwriting!).
14. With either data base or spreadsheet software packages, macros (sets of
instructions) can be developed for retrieving data from the working trial balance
and converting this data into classified financial statements. If one or more
subsidiaries are to be included, the consolidated process can also be automated
by the inclusion of special modules designed for that purpose. The standard
audit report, as well as recurring footnotes, can be included in the data base, and
modified to fit the circumstances of the current years audit results.
15. Relational data base packages have all the advantages of spreadsheets, and, in
addition, have the capacity to store and handle larger quantities of data. They
are especially useful in manipulating large data bases, such as customer accounts
receivable, plant assets, and inventories.
Multiple Choice Questions
1.
2.
3.
4.

a
c
c
d

5.
6.
7.
8.

d
d
c
b

9.
10.
11.
12.

b
d
b
b

13.
14.
15.
16.

c
a
d
b

17. b
18. c
19. d

Auditing in a Computer Information Systems (CIS) Environment

28-5

Cases
1.

a.

Auditing around the computer generally refers to examinations of

transactions in which a representative sample of transactions is traced from
the original source documents, perhaps through existing intermediate
records in hard copy, to output reports or records, or from reports back to
source documents. Little or no attempt is made to audit the computer
program or procedures employed by the computer to process the data. This
audit approach is based on the premise that the method of processing data is
irrelevant as long as the results can be traced back to the input of data and
the input can be validated. If the sample of transactions has been handled
correctly, then the system outputs can be considered to be correct within a
satisfactory degree of confidence.

b.

The CPA would decide to audit through the computer instead of around
the computer (1) when the computer applications become complex or (2)
when audit trails become partly obscured and external evidence is not
available.
Auditing around the computer would be inappropriate and inefficient in
the examination of transactions when the major portion of the internal
control system is embodied in the computer system and when accounting
information is intermixed with operation information in a computer
program that is too complex to permit the ready identification of data inputs
and outputs. Auditing around the computer will also be ineffective if the
sample of transactions selected for auditing does not cover unusual
transactions that require special treatment.

c.

(1) Test data is usually a set of data in the form of punched cards or
magnetic tape representing a full range of simulated transactions, some
of which may be erroneous, to test the effectiveness of the programmed
controls and to ascertain how transactions would be handled (accepted
or rejected) and if accepted, the effect they would have on the
accumulated accounting data.
(2) The auditor may use test data to gain a better understanding of what the
data processing system does, and to check its conformity to desired
objectives. Test data may be used to test the accuracy of programming
by comparing computer results with results predetermined manually.
Test data may also be used to determine whether errors can occur
without observation and thus test the systems ability to detect
noncompliance with prescribed procedures and methods.

28-6 Solutions Manual Public Accountancy Profession

Assurance is provided by the fact that if one transaction of a given type
passes a test, then all transactions containing the identical test
characteristics will if the appropriate control features are functioning
pass the same test. Accordingly, the volume of test transactions of a
given type is not important.
d.

In addition to actually observing the processing of data by the client, the

CPA can satisfy himself that the computer program tapes presented to him
are actually being used by the client to process its accounting data by
requesting the program of a surprise basis from a computer librarian and
using it to process test data.
The CPA may also request, on a surprise basis, that the program be left in
the computer at the completion of processing data so that he can use the
program to process his test data. This procedure may reveal computer
operation intervention. If, so, ensures that a current version of the program
is being audited, an important procedure in computer installations newly
installed and undergoing many program changes. To gain further assurance
about this matter, the CPA should inquire into the clients procedures and
controls for making program changes and erasing superseded program
tapes, and should examine log tapes where available.

2.

a.

Document retention
IMPACT ON THE INTERNAL CONTROL SYSTEM: In on-line real time
systems and EDI systems, the audit trail is frequently modified in the form
of reduced documentation. To compensate, internal controls should provide
for adequate input editing, as well as some form of transaction log as
documentation at the input stage.
IMPACT ON THE INDEPENDENT AUDIT: In examining internal
control, under these circumstances, the auditor must rely more on
observation, inquiry, and reprocessing of transactions for control testing
purposes, and less on document testing. If documents are retained for only
a short period, the auditor should also consider the feasibility of frequent
visits for both substantive and control testing purposes.

b.

Uniformity of processing
IMPACT ON THE INTERNAL CONTROL SYSTEM: The impact of this
internal control characteristic is to generally strengthen control by
increasing the consistency of processing. Once the proper controls are
installed and tested, processing consistency increases the accuracy of
transaction processing over that which exists in manual systems.
IMPACT ON THE INDEPENDENT AUDIT: The auditor must emphasize
control study and testing at the point of transaction input and processing to

Auditing in a Computer Information Systems (CIS) Environment

28-7

determine that the necessary controls exist and are functioning. Upon
determining that the necessary input and processing controls are in place
and functioning properly, the auditor may elect to perform little or no
document testing.
c.

Concentration of functions
IMPACT ON THE INTERNAL CONTROL SYSTEM: In manual systems,
separation of functional responsibilities provides a double-check for the
purpose of enhancing processing accuracy. In EDP accounting systems,
consistency of processing removes the need for double-check.
IMPACT ON THE INDEPENDENT AUDIT: The auditor must determine
that the necessary input editing controls are in place and functioning to
ensure that transactions are accurately introduced into the processing
stream. Moreover, to ensure checks and balances within the electronic data
processing function, the auditor should study the organizational structure of
the EDP group to ascertain proper separation among the following
functions:
Systems analysis and design
Program design, development, and testing
Computer operations involving data processing
Distribution of EDP output and reprocessing of errors

d.

Access to data bases

IMPACT ON THE INTERNAL CONTROL SYSTEM: The greater the
number of input terminals providing access to data bases, and the more
integrated the data base, the greater the danger of unauthorized access. To
protect the data bases under these circumstances, the internal control
policies and procedures should provide for effective control over
identification codes and passwords permitting access to data bases; and the
control policies should also fix responsibility in designated individuals for
specified elements of data bases.
In batch systems, access to magnetic tape and disk files and programs
should be secured by assigning responsibility over these files to one or more
individuals designated as librarians, and instituting a formal checkout
system for releasing and reacquiring files and programs.
IMPACT ON THE INDEPENDENT AUDIT:
The auditor should
determine that proper control over I.D. codes and passwords exists, that
codes and passwords are changed frequently and voided upon termination
of employment, and that responsibility for elements of data bases has been
appropriately fixed.

28-8 Solutions Manual Public Accountancy Profession

In batch systems, the auditors should determine that tape and disk files and
programs stored off-line are properly secured.
3. a.

Test data approach: The auditor prepares simulated input data (both valid
and invalid transactions) that are processed, under the auditors control, by
the clients processing system.
Advantage: A good way of testing existing controls for proper functioning.
Disadvantage: Difficulty in designing comprehensive test data; Difficulty
in ascertaining whether the programs tested are the same programs used by
the client in processing actual transactions and events during the year.
ITF approach: The auditor creates a fictitious entity within the clients
actual data files, and processes simulated data during live processing by
client. The auditor then compares the results of processing with anticipated
results.
Advantage: Greater assurance that programs tested are programs used by
the client (the approach can be applied at different points in time during the
year).
Disadvantage: Difficult to remove test data from the system without
harming clients files.
Tagging and tracing: This is a technique whereby an identifier or tag is
affixed to a transaction record; and the tag triggers snapshots during the
processing of transactions. Following the tagged transactions through the
system permits the auditor to evaluate the logic of the processing steps and
the adequacy of programmed controls.
Advantage: The use of actual data eliminates the need for removing data
from the clients processing system.
Disadvantage: The auditor analyzes the transactions only after processing
is completed.
SCARF: A systems control audit review file is an audit log used to collect
information for subsequent analysis and review. An imbedded audit
module monitors selected transactions as they pass by specific processing
points. The module then captures the input data so that relevant
information, accessible only by the auditor, is displayed at key points in the
processing system.
Advantage: Utilizes real- rather than simulated-transaction data, and does
not require reversing the entries.

Auditing in a Computer Information Systems (CIS) Environment

28-9

Disadvantage: Does not necessarily capture erroneous data.

Surprise audit: The auditor, on an unannounced basis, requests copies of
clients programs, and compares them with auditors copy of authorized
versions.
Advantage: Assists the auditor in determining whether client personnel are
using authorized versions of programs in processing data.
Disadvantage: Auditor may not always be notified by the client when
program changes are made, thus making the comparison irrelevant.
b.

Inasmuch as each of the above alternatives have distinct advantages and

disadvantages, a combination approach overcomes the disadvantages
resulting from using a single approach. Using ITF, for example on a few
simulated transactions, while applying the tagging and tracing or SCARF
approach for numerous actual transactions, provides effective testing of
control procedures for error prevention and detection, without requiring the
reversal of a large number of simulated transactions from the clients
system.

c.

In auditing around the computer, the auditor predetermines the processing

results (output) of selected input data, and compares the predetermined
results with actual computer output. The advantage of this approach is its
ease of application; a significant disadvantage is that the auditor gains no
understanding of how the computer processes data, nor of the controls
which have been incorporated into the computer programs.
In auditing through the computer, the auditor actually tests the programmed
controls used in processing specific applications. Such techniques as design
phase auditing, ITF, tagging and tracing, SCARF, test data, and surprise
audit are examples of auditing through the computer.

d.

Parallel simulation is an automated version of auditing around the computer

in that the auditor creates a set of application programs that simulate the
processing system, and compares output from the real and simulated
systems.
Comparison of input with output ignores the essential
characteristics of the processing system and assumes that if the outputs are
identical, the system is processing transactions accurately.
The auditor might elect to use parallel simulation in combination with
design phase auditing. Design phase auditing ensures that the necessary
controls are installed during system design. By permitting the auditor to
test large volumes of transactions, parallel simulation helps to confirm
whether these controls are working.

28-10 Solutions Manual Public Accountancy Profession

4.

(a) Test decks, also called test data, are sets of computer input data which
reflect a variety of auditor-identified transactions for verification through
actual computer processing to detect invalid processing of results (i.e.,
existing programs run test data). Ideal test data should present the
application under examination with every possible combination of
transactions, master file situations, and processing logic which could be
encountered during actual comprehensive processing. Test data are usually
processed separately from actual data using copies of master files. Test
decks are most feasible when the variety of transactions processing and
controls is relatively limited (i.e., fairly simple files).
Uses include checking and verifying: (1) input transaction validation
routines, error detection, and application system controls, (2) processing
logic, and controls associated with creation and maintenance of master files,
(3) computational routines such as interest and asset depreciation, and (4)
incorporation of program changes.
(b) Parallel simulation consists of the preparation of a separate computer
application that performs the same functions as those used by the actual
application programs. The simulation programs read the same input data as
the application programs, use the same files, and attempt to produce the
same results (e.g., real data run through test programs). These simulated
results are matched with those from the live programs, providing a means
for testing through comparison.
Uses include all those cited for test decks.
(c) The integrated test facility approach permits the introduction of auditorselected test data into a computer system with actual or live data and then
traces the flow of transactions through the various system processing
functions for comparison to predetermined actual results. An ITF involves
the creation or establishment of a dummy entity (e.g., a branch or
division) to receive the results of the test processing. Therefore,
transactions are processed against the test entity together with actual
transactions. Test data must be removed from the entitys records upon
completion of the test. Uses are identical to the test deck technique.
(d) Tagging and tracing and SCARF are forms of transaction tracking provided
only for auditor selected computer inputs carrying a special code. If the
capability is provided in the application system in advance, the attachment
of a code to any input transaction can be made to generate a printed
transaction trail for that item following each step of the application
processing.

Auditing in a Computer Information Systems (CIS) Environment

28-11

Uses include: (1) determining the impact of specific transactions on master

records or calculations in high volume systems, (2) flagging unusual or
abnormal transactions, and (3) debugging application programs.
5. In an audit of a computer-based system, adequate training and experience must
be directly related to EDP. In particular, the auditor should be knowledgeable of
what computer systems do, how to test the operations of an EDP system, and
how to use EDP-unique documentation.
The training and proficiency standard contributes to satisfaction of the
independence standard by enabling the auditor to make his own decisions and
judgments. Otherwise, he might tend to subordinate his judgment to other
persons, possibly to client personnel. When the auditor lacks training and
proficiency, it is virtually impossible to maintain an operational independence
over audit decisions. An independence of mental attitude is futile if actual
decisions are subordinated to others.
The exercise of due audit care requires a critical review at every level of audit
supervision of the work done and the decisions made by auditors. Lacking the
requisite skills and lacking independent decisions, the due care expected of an
auditor at operational, supervisor, and review levels cannot be delivered.
The Philippine Standards on Auditing require adequate planning and supervision
of assistants. Training and proficiency in computer systems auditing is
necessary in order to plan access to computerized records, programs, and to
obtain machine time for conducting audit procedures. The planning should
provide for an early examination of the computer system so that further
procedures involving non-computer control and accounting features may be
planned should they depend upon computer control procedures.
Training and proficiency are very important for being able to obtain an
understanding of the internal control structure in a computer system. Client
personnel will expect audit personnel to be capable of working with a computer
system.
The Philippine Standards on Auditing also require the auditor to obtain
sufficient competent evidential matter to provide a basis for an opinion on
financial statements. Documentary evidence relating to a computer system
includes program flow charts, logic diagrams, and decision tables that are not
normally used in non-computer systems. Since these types of documentation are
a part of the evidence, they must be understood by the auditor, and
understanding of them comes through training and proficiency in their use.