CIS

http://www.pinoycpareview.
com/cpa-exam/
http://www.pinoycpareview.com/cpa-exam/user/register
http://www.scribd.com/doc/49063802/Auditing-Theory
http://www.pinoyexchange.com/forums/showthread.php?t=566199
CEBU CPAR CENTER

Mandaue City, Cebu
AUDITING THEORY
AUDITING IN A COMPUTER INFORMATION SYSTEMS (CIS) ENVIRONMENT
Related PSAs/PAPSs:
PSA 401; PAPS 1001, 1002, 1003, 1008 and 1009PSA 401 – Auditing in a Computer
Information Systems (CIS) Environment
1. Which statement is incorrect when auditing in a CIS environment?a. A CIS environment exists
when a computer of any type or size is involved in the processingby the entity of financial
information of significance to the audit, whether that computer isoperated by the entity or by a
third party.b. The auditor should consider how a CIS environment affects the audit.c. The use of
a computer changes the processing, storage and communication of financialinformation and may
affect the accounting and internal control systems employed by theentity.d. A CIS environment
changes the overall objective and scope of an audit.
2. Which of the following standards or group of standards is mostly affected by a
computerizedinformation system environment?a. General standards c. Reporting standardsb.
Second standard of field workd. Standards of fieldwork
3. Which of the following is least considered if the auditor has to determine whether
specializedCIS skills are needed in an audit?a. The auditor needs to obtain a sufficient
understanding of the accounting and internal controlsystem affected by the CIS environment.b.
The auditor needs to determine the effect of the CIS environment on the assessment ofoverall
risk and of risk at the account balance and class of transactions level.c. Design and perform
appropriate tests of controls and substantive procedures.d. The need of the auditor to make
analytical procedures during the completion stage of audit
.4. It relates to materiality of the financial statement assertions affected by the
computerprocessing.a. Threshold b. Relevance c. Complexityd. Significance
5. Which of the following least likely indicates a complexity of computer processing?a.
Transactions are exchanged electronically with other organizations without manual reviewof
their propriety.b. The volume of the transactions is such that users would find it difficult to
identify and correcterrors in processing.c. The computer automatically generates material
transactions or entries directly to anotherapplications.d. The system generates a daily exception
report.
6. The nature of the risks and the internal characteristics in CIS environment that the auditors
aremostly concerned include the following except:a. Lack of segregation of functions. c. Lack of
transaction trails.b.Dependence of other control over computer processing.d. Cost-benefit ratio.
7. Which of the following is least likely a risk characteristic associated with CIS environment?a.
Errors embedded in an application’s program logic maybe difficult to manually detect on atimely
basis.b. Many control procedures that would ordinarily be performed by separate individuals
inmanual system maybe concentrated in CIS.c. The potential unauthorized access to data or to
alter them without visible evidence maybegreater.d. Initiation of changes in the master file is
exclusively handled by respective users.
8. Which of the following significance and complexity of the CIS activities should an auditor
leastunderstand?a. The organizational structure of the client’s CIS activities.b. Lack of
transaction trails.c. The significance and complexity of computer processing in each significant
accountingapplication.d. The use of software packages instead of customized software.
PAPS 1001 – CIS Environments – Stand-Alone Personal Computers

9. Which statement is correct regarding personal computer systems?a. Personal computers or
PCs are economical yet powerful self-contained general purposecomputers consisting typically
of a central processing unit (CPU), memory, monitor, diskdrives, printer cables and modems.b.
Programs and data are stored only on non-removable storage media.c. Personal computers cannot
be used to process accounting transactions and producereports that are essential to the
preparation of financial statements.d. Generally, CIS environments in which personal computers
are used are the same withother CIS environments.
10. A personal computer can be used in various configurations, includinga. A stand-alone
workstation operated by a single user or a number of users at different times.b. A workstation
which is part of a local area network of personal computers.c. A workstation connected to a
server.d. All of the above.
11. Which statement is incorrect regarding personal computer configurations?a. The stand-alone
workstation can be operated by a single user or a number of users atdifferent times accessing the
same or different programs.b. A stand-alone workstation may be referred to as a distributed
system.c. A local area network is an arrangement where two or more personal computers are
linkedtogether through the use of special software and communication lines.d. Personal
computers can be linked to servers and used as part of such systems, forexample, as an intelligent
on-line workstation or as part of a distributed accounting system.
12. Which of the following is the least likely characteristic of personal computers?a. They are
small enough to be transportable.b. They are relatively expensive.c. They can be placed in
operation quickly.d. The operating system software is less comprehensive than that found in
larger computerenvironments.
13. Which of the following is an inherent characteristic of software package?a. They are
typically used without modifications of the programs.b. The programs are tailored-made
according to the specific needs of the user.c. They are developed by software manufacturer
according to a particular user’sspecifications.d. It takes a longer time of implementation.
14. Which of the following is not normally a removable storage media?a. Compact disk c.
Tapesb. Diskettesd. Hard disk
15. It is a computer program (a block of executable code) that attaches itself to a
legitimateprogram or data file and uses its as a transport mechanism to reproduce itself without
theknowledge of the user.a. Virusc. System management programb. Utility program d.
Encryption
16. Which statement is incorrect regarding internal control in personal computer environment?a.
Generally, the CIS environment in which personal computers are used is less structuredthan a
centrally-controlled CIS environment.b. Controls over the system development process and
operations may not be viewed by thedeveloper, the user or management as being as important or
cost-effective.c. In almost all commercially available operating systems, the built-in security
provided hasgradually increased over the years.d. In a typical personal computer environment,
the distinction between general CIS controlsand CIS application controls is easily ascertained.
17. Personal computers are susceptible to theft, physical damage, unauthorized access or
misuseof equipment. Which of the following is least likely a physical security to restrict access
topersonal computers when not in use?a. Using door locks or other security protection during
non-business hours.b. Fastening the personal computer to a table using security cables.c. Locking
the personal computer in a protective cabinet or shell.d. Using anti-virus software programs.
Page 3 of 15
AT-030507
18. Which of the following is not likely a control over removable storage media to
preventmisplacement, alteration without authorization or destruction?a. Using cryptography,
which is the process of transforming programs and information into anunintelligible form.b.
Placing responsibility for such media under personnel whose responsibilities include dutiesof
software custodians or librarians.c. Using a program and data file check-in and check-out system
and locking the designatedstorage locations.d. Keeping current copies of diskettes, compact disks
or back-up tapes and hard disks in afireproof container, either on-site, off-site or both.
19. Which of the following least likely protects critical and sensitive information from
unauthorizedaccess in a personal computer environment?a. Using secret file names and hiding
the files.b. Keeping of back up copies offsite.c. Employing passwords.d. Segregating data into
files organized under separate file directories.
20. It refers to plans made by the entity to obtain access to comparable hardware, software
anddata in the event of their failure, loss or destruction.a. Back-upb. Encryption c. Anti-virus d.
Wide Area Network (WAN)
21. The effect of personal computers on the accounting system and the associated risks will
leastlikely depend ona. The extent to which the personal computer is being used to process
accountingapplications.b. The type and significance of financial transactions being processed.c.
The nature of files and programs utilized in the applications.d. The cost of personal computers.
22. The auditor may often assume that control risk is high in personal computer systems since ,
itmay not be practicable or cost-effective for management to implement sufficient controls
toreduce the risks of undetected errors to a minimum level. This least likely entaila. More
physical examination and confirmation of assets.b. More analytical procedures than tests of
details.c. Larger sample sizes.d. Greater use of computer-assisted audit techniques, where
appropriate.PAPS 1002 – CIS Environments – On-Line Computer Systems
23. Computer systems that enable users to access data and programs directly
throughworkstations are referred to as a. On-line computer systemsc. Personal computer
systemsb. Database management systems (DBMS) d. Database systems
24. On-line systems allow users to initiate various functions directly. Such functions include:I.
Entering transactions III. Requesting reportsII. Making inquiries IV. Updating master filesa.I, II,
III and IVc. I and IIb. I, II and III d. I and IV
25. Many different types of workstations may be used in on-line computer systems. The
functionsperformed by these workstations least likely depend on theira. Logic b. Transmission c.
Storaged. Cost
26. Types of workstations include General Purpose Terminals and Special Purpose
Terminals.Special Purpose Terminals includea. Basic keyboard and monitorc. Point of sale
devices b. Intelligent terminal d. Personal computers
27. Special Purpose Terminal used to initiate, validate, record, transmit and complete
variousbanking transactionsa. Automated teller machinesc. Intelligent terminalb. Point of sale
devices d. Personal computers
28. Which statement is incorrect regarding workstations?a. Workstations may be located either
locally or at remote sites.b. Local workstations are connected directly to the computer through
cables.c. Remote workstations require the use of telecommunications to link them to the
computer.

Page 4 of 15
AT-030507
d. Workstations cannot be used by many users, for different purposes, in different locations,all at
the same time.
29. On-line computer systems may be classified according toa. How information is entered into
the system.b. How it is processed.c. When the results are available to the user.d. All of the above.
30. In an on-line/real time processing systema. Individual transactions are entered at
workstations, validated and used to update relatedcomputer files immediately.b. Individual
transactions are entered at a workstation, subjected to certain validation checksand added to a
transaction file that contains other transactions entered during the period.c. Individual
transactions immediately update a memo file containing information which hasbeen extracted
from the most recent version of the master file.d. The master files are updated by other systems.
31. It combines on-line/real time processing and on-line/batch processing.a. On-Line/Memo
Update (and Subsequent Processing)b. On-Line Downloading/Uploading Processingc. On-
Line/Inquiryd. On-Line/Combined Processing
32. It is a communication system that enables computer users to share computer
equipment,application software, data and voice and video transmissions.a. Networkb. File server
c. Host d. Client
33. A type of network that multiple buildings are close enough to create a campus, but the
spacebetween the buildings is not under the control of the company isa. Local Area Network
(LAN)c. Metropolitan Area Network (MAN) b. Wide Area Network (WAN) d. World Wide
Web (WWW)
34. Which of the following is least likely a characteristic of Wide Area Network (WAN)?a.
Created to connect two or more geographically separated LANs.b. Typically involves one or
more long-distance providers, such as a telephone company toprovide the connections.c. WAN
connections tend to be faster than LAN.d. Usually more expensive than LAN
.35. Gateway isa. A hardware and software solution that enables communications between two
dissimilarnetworking systems or protocols.b. A device that forwards frames based on destination
addresses.c. A device that connects and passes packets between two network segments that use
thesame communication protocol.d. A device that regenerates and retransmits the signal on a
network.
36. A device that works to control the flow of data between two or more network segmentsa.
Bridgeb. Routerc. Repeater d. Switch
37. The undesirable characteristics of on-line computer systems least likely includea. Data are
usually subjected to immediate validation checks.b. Unlimited access of users to all of the
functions in a particular application.c. Possible lack of visible transaction trail.d. Potential
programmer access to the system.
38. Certain general CIS controls that are particularly important to on-line processing least
likelyincludea. Access controls.b. System development and maintenance controls.c. Edit,
reasonableness and other validation tests.d. Use of anti-virus software program.
39. Certain CIS application controls that are particularly important to on-line processing least
likelyincludea. Pre-processing authorization.c. Transaction logs. b. Cut-off procedures. d.
Balancing
Page 5 of 15
AT-030507
40. Risk of fraud or error in on-line systems may be reduced in the following circumstances,
excepta. If on-line data entry is performed at or near the point where transactions originate, there
isless risk that the transactions will not be recorded.b. If invalid transactions are corrected and re-
entered immediately, there is less risk that suchtransactions will not be corrected and re-
submitted on a timely basis.c. If data entry is performed on-line by individuals who understand
the nature of thetransactions involved, the data entry process may be less prone to errors than
when it isperformed by individuals unfamiliar with the nature of the transactions.d. On-line
access to data and programs through telecommunications may provide greateropportunity for
access to data and programs by unauthorized persons.
41. Risk of fraud or error in on-line computer systems may be increased for the following
reasons,excepta. If workstations are located throughout the entity, the opportunity for
unauthorized use of aworkstation and the entry of unauthorized transactions may increase.b.
Workstations may provide the opportunity for unauthorized uses such as modification
ofpreviously entered transactions or balances.c. If on-line processing is interrupted for any
reason, for example, due to faultytelecommunications, there may be a greater chance that
transactions or files may be lostand that the recovery may not be accurate and complete.d. If
transactions are processed immediately on-line, there is less risk that they will beprocessed in the
wrong accounting period.
42. The following matters are of particular importance to the auditor in an on-line computer
system,excepta. Authorization, completeness and accuracy of on-line transactions.b. Integrity of
records and processing, due to on-line access to the system by many users andprogrammers.c.
Changes in the performance of audit procedures including the use of CAAT's.d. Cost-benefit
ratio of installing on-line computer system.PAPS 1003 – CIS Environments – Database Systems
43. A collection of data that is shared and used by a number of different users for
differentpurposes.a. Databaseb. Information file c. Master file d. Transaction file
44. Which of the following is least likely a characteristic of a database system?a. Individual
applications share the data in the database for different purposes.b. Separate data files are
maintained for each application and similar data used by severalapplications may be repeated on
several different files.c. A software facility is required to keep track of the location of the data in
the database.d. Coordination is usually performed by a group of individuals whose responsibility
is typicallyreferred to as "database administration.
"45. Database administration tasks typically includeI. Defining the database structure.II.
Maintaining data integrity, security and completeness.III. Coordinating computer operations
related to the database.IV. Monitoring system performance.V. Providing administrative
support.a. All of the aboveb. All except I c. II and V only d. II, III and V only
46. Due to data sharing, data independence and other characteristics of database systemsa.
General CIS controls normally have a greater influence than CIS application controls ondatabase
systems.b. CIS application controls normally have a greater influence than general CIS controls
ondatabase systems.c. General CIS controls normally have an equal influence with CIS
application controls ondatabase systems.d. CIS application controls normally have no influence
on database systems.
47. Which statement is incorrect regarding the general CIS controls of particular importance in
adatabase environment?a. Since data are shared by many users, control may be enhanced when a
standard approachis used for developing each new application program and for application
programmodification.

Page 8 of 15
AT-030507
QUIZZERS
1. An internal auditor noted the following points when conducting a preliminary survey
inconnection with the audit of an EDP department. Which of the following would be considered
asafeguard in the control system on which the auditor might rely?a. Programmers and computer
operators correct daily processing problems as they arise.b. The control group works with user
organizations to correct rejected input.c. New systems are documented as soon as possible after
they begin processing live data.d. The average tenure of employees working in the EDP
department is ten months
.2. An on-line access control that checks whether the user’s code number is authorized to initiate
aspecific type of transaction or inquiry is referred to asa. Passwordc. Compatibility test b. Limit
check d. Reasonableness test
3. A control procedure that could be used in an on-line system to provide an immediate check
onwhether an account number has been entered on a terminal accurately is aa. Compatibility test
c. Record countb. Hash totald. Self-checking digit
4. A control designed to catch errors at the point of data entry isa. Batch totalc. Self-checking
digit b. Record count d. Checkpoints
5. Program documentation is a control designed primarily to ensure thata. Programmers have
access to the tape library or information on disk files.b. Programs do not make mathematical
errors.c. Programs are kept up to date and perform as intended.d. Data have been entered and
processed.
6. Some of the more important controls that relate to automated accounting information
systemsare validity checks, limit checks, field checks, and sign tests. These are classified asa.
Control total validation routines c. Output controlsb. Hash totalingd. Input validation routines
7. Most of today’s computer systems have hardware controls that are built in by the
computermanufacturer. Common hardware controls area. Duplicate circuitry, echo check, and
internal header labelsb. Tape file protection, cryptographic protection, and limit checksc.
Duplicate circuitry, echo check, and dual readingd. Duplicate circuitry, echo check, tape file
protection, and internal header labels
8. Computer manufacturers are now installing software programs permanently inside
thecomputer as part of its main memory to provide protection from erasure or loss if there
isinterrupted electrical power. This concept is known asa. File integrity c. Random access
memory (RAM)b. Software controld. Firmware
9. Which one of the following represents a lack of internal control in a computer-based
informationsystem?a. The design and implementation is performed in accordance with
management’s specificauthorization.b. Any and all changes in application programs have the
authorization and approval ofmanagement.c. Provisions exist to protect data files from
unauthorized access, modification, or destruction.d. Both computer operators and programmers
have unlimited access to the programs anddata files.
10. In an automated payroll processing environment, a department manager substituted the
timecard for a terminated employee with a time card for a fictitious employee. The
fictitiousemployee had the same pay rate and hours worked as the terminated employee. The
bestcontrol technique to detect this action using employee identification numbers would be aa.
Batch totalb. Hash totalc. Record count d. Subsequent check
11. An employee in the receiving department keyed in a shipment from a remote terminal
andinadvertently omitted the purchase order number. The best systems control to detect this
errorwould bea. Batch total c. Sequence checkb. Completeness testd. Reasonableness test

Page 9 of 15
AT-030507
12. The reporting of accounting information plays a central role in the regulation of
businessoperations. Preventive controls are an integral part of virtually all accounting
processingsystems, and much of the information generated by the accounting system is used
forpreventive control purposes. Which one of the following is not an essential element of a
soundpreventive control system?a. Separation of responsibilities for the recording, custodial, and
authorization functions.b. Sound personnel policies.c. Documentation of policies and
procedures.d. Implementation of state-of-the-art software and hardware.
13. The most critical aspect regarding separation of duties within information systems is
betweena. Project leaders and programmers c. Programmers and systems analystsb.
Programmers and computer operatorsd. Data control and file librarians
14. Whether or not a real time program contains adequate controls is most effectively
determinedby the use ofa. Audit software c. A tracing routineb. An integrated test facilityd. A
traditional test deck
15. Compatibility tests are sometimes employed to determine whether an acceptable user
isallowed to proceed. In order to perform compatibility tests, the system must maintain anaccess
control matrix. The one item that is not part of an access control matrix is aa. List of all
authorized user code numbers and passwords.b. List of all files maintained on the system.c.
Record of the type of access to which each user is entitled.d. Limit on the number of transaction
inquiries that can be made by each user in a specifiedtime period.
16. Which one of the following input validation routines is not likely to be appropriate in a real
timeoperation?a. Field checkc. Sequence check b. Sign check d. Redundant data check
17. Which of the following controls is a processing control designed to ensure the reliability
andaccuracy of data processing?Limit test Validity check testa. Yes Yesb. No Noc. No Yesd. Yes
No
18. Which of the following characteristics distinguishes computer processing from
manualprocessing?a. Computer processing virtually eliminates the occurrence of computational
error normallyassociated with manual processing.b. Errors or irregularities in computer
processing will be detected soon after their occurrences.c. The potential for systematic error is
ordinarily greater in manual processing than incomputerized processing.d. Most computer
systems are designed so that transaction trails useful for audit do not exist.
19. Which of the following most likely represents a significant deficiency in the internal
controlstructure?a. The systems analyst review applications of data processing and maintains
systemsdocumentation.b. The systems programmer designs systems for computerized
applications and maintainsoutput controls.c. The control clerk establishes control over data
received by the EDP department andreconciles control totals after processingd. The accounts
payable clerk prepares data for computer processing and enters the data intothe computer.
20. Which of the following activities would most likely be performed in the EDP Department?a.
Initiation of changes to master records.b. Conversion of information to machine-readable form.c.
Correction of transactional errors.d. Initiation of changes to existing applications.

Page 10 of 15
AT-030507
21. For control purposes, which of the following should be organizationally segregated from
thecomputer operations function?a. Data conversionc. Systems development b. Surveillance of
CRT messages d. Minor maintenance according to a schedule
22. Which of the following is not a major reason for maintaining an audit trail for a
computersystem?a. Deterrent to irregularitiesc. Analytical procedures b. Monitoring purposes d.
Query answering
23. In an automated payroll system, all employees in the finishing department were paid the rate
ofP75 per hour when the authorized rate was P70 per hour. Which of the following
controlswould have been most effective in preventing such an error?a. Access controls which
would restrict the personnel department’s access to the payrollmaster file data.b. A review of all
authorized pay rate changes by the personnel department.c. The use of batch control totals by
department.d. A limit test that compares the pay rates per department with the maximum rate for
allemployees.
24. Which of the following errors would be detected by batch controls?a. A fictitious employee
as added to the processing of the weekly time cards by the computeroperator.b. An employee
who worked only 5 hours in the week was paid for 50 hours.c. The time card for one employee
was not processed because it was lost in transit betweenthe payroll department and the data entry
function.d. All of the above
.25. The use of a header label in conjunction with magnetic tape is most likely to prevent errors
bythea. Computer operatorc. Computer programmerb. Keypunch operator d. Maintenance
technician
26. For the accounting system of ACME Company, the amounts of cash disbursements
enteredinto an EDP terminal are transmitted to the computer that immediately transmits the
amountsback to the terminal for display on the terminal screen. This display enables the operator
to
a.Establish the validity of the account numberb.Verify the amount was entered accurately
c.Verify the authorization of the disbursementsd.Prevent the overpayment of the account
27. When EDP programs or files can be accessed from terminals, users should be required
toenter a(an)a. Parity check c. Self-diagnostic testb. Personal identification coded. Echo check
28. The possibility of erasing a large amount of information stored on magnetic tape most
likelywould be reduced by the use ofa. File protection ringc. Completeness tests b. Check digits
d. Conversion verification
29. Which of the following controls most likely would assure that an entity can reconstruct
itsfinancial records?
a.Hardware controls are built into the computer by the computer manufacturer.
b.Backup diskettes or tapes of files are stored away from originals.
c.Personnel who are independent of data input perform parallel simulations.
d.System flowcharts provide accurate descriptions of input and output operations.
30. Mill Co. uses a batch processing method to process its sales transactions. Data on Mill’s
salestransaction tape are electronically sorted by customer number and are subject to
programmededit checks in preparing its invoices, sales journals, and updated customer account
balances.One of the direct outputs of the creation of this tape most likely would be a
a.Report showing exceptions and control totals.
b.Printout of the updated inventory records.
c.Report showing overdue accounts receivable.
d.Printout of the sales price master file
Page 11 of 15
AT-030507
31. Using microcomputers in auditing may affect the methods used to review the work of
staffassistants because
a.The audit field work standards for supervision may differ.b.Documenting the supervisory
review may require assistance of consulting servicespersonnel.c.Supervisory personnel may not
have an understanding of the capabilities and limitations ofmicrocomputers.d.Working paper
documentation may not contain readily observable details of calculations.
32. An auditor anticipates assessing control risk at a low level in a computerized
environment.Under these circumstances, on which of the following procedures would the auditor
initiallyfocus?a. Programmed control procedures c. Output control proceduresb. Application
control proceduresd. General control procedures
33. After the preliminary phase of the review of a client’s EDP controls, an auditor may decide
notto perform tests of controls (compliance tests) related to the control procedures within the
EDPportion of the client’s internal control structure. Which of the following would not be a
validreason for choosing to omit such tests?
a.The controls duplicate operative controls existing elsewhere in the structure.b.There appear to
be major weaknesses that would preclude reliance on the statedprocedure.c.The time and costs of
testing exceed the time and costs in substantive testing if the tests ofcontrols show the controls to
be operative.d.The controls appear adequate
.34. Which of the following client electronic data processing (EDP) systems generally can
beaudited without examining or directly testing the EDP computer programs of the system?
a.A system that performs relatively uncomplicated processes and produces detailed output.
b.A system that affects a number of essential master files and produces a limited output.
c.A system that updates a few essential master files and produces no printed output otherthan
final balances.d.A system that performs relatively complicated processing and produces very
little detailedoutput.
35. Computer systems are typically supported by a variety of utility software packages that
areimportant to an auditor because they
a.May enable unauthorized changes to data files if not properly controlled.
b.Are very versatile programs that can be used on hardware of many manufacturers.
c.May be significant components of a client’s application programs.
d.Are written specifically to enable auditors to extract and sort data.
36. To obtain evidence that online access controls are properly functioning, an auditor most
likelywould
a.
Create checkpoints at periodic intervals after live data processing to test for unauthorizeduse of
the system.
b.
Examine the transaction log to discover whether any transactions were lost or entered twicedue
to a system malfunction
c.
Enter invalid identification numbers or passwords to ascertain whether the system rejectsthem.
d.
Vouch a random sample of processed transactions to assure proper authorization37. Which of the
following statements most likely represents a disadvantage for an entity thatkeeps
microcomputer-prepared data files rather than manually prepared files?
a.
Attention is focused on the accuracy of the programming process rather than errors inindividual
transactions.
b.
It is usually easier for unauthorized persons to access and alter the files.
c.
Random error associated with processing similar transactions in different ways is usuallygreater.
d.
It is usually more difficult to compare recorded accountability with physical count of assets.38.
An auditor would least likely use computer software to
a.
Access client data filesc. Assess EDP controls
b.
Prepare spreadsheets d. Construct parallel simulations

Page 12 of 15
AT-030507
39. A primary advantage of using generalized audit software packages to audit the
financialstatements of a client that uses an EDP system is that the auditor may
a.
Consider increasing the use of substantive tests of transactions in place of analyticalprocedures.
b.
Substantiate the accuracy of data through self-checking digits and hash totals.
c.
Reduce the level of required tests of controls to a relatively small amount.
d.
Access information stored on computer files while having a limited understanding of theclient’s
hardware and software features.40. Auditors often make use of computer programs that perform
routine processing functions suchas sorting and merging. These programs are made available by
electronic data processingcompanies and others and are specifically referred to as
a.
Compiler programsc. Utility programs
b.
Supervisory programs d. User programs41. Smith Corporation has numerous customers. A
customer file is kept on disk storage. Eachcustomer file contains name, address, credit limit, and
account balance. The auditor wishes totest this file to determine whether the credit limits are
being exceeded. The best procedure forthe auditor to follow would be to
a.
Develop test data that would cause some account balances to exceed the credit limit
anddetermine if the system properly detects such situations.
b.
Develop a program to compare credit limits with account balances and print out the detailsof any
account with a balance exceeding its credit limit.
c.
Request a printout of all account balances so they can be manually checked against thecredit
limits.
d.
Request a printout of a sample of account balances so they can be individually checkedagainst
the credit limits.42. The use of generalized audit software package
a.
Relieves an auditor of the typical tasks of investigating exceptions, verifying sources
ofinformation, and evaluating reports.
b.
Is a major aid in retrieving information from computerized files.
c.
Overcomes the need for an auditor to learn much about computers.
d.
Is a form of auditing around the computer.43. An auditor used test data to verify the existence of
controls in a certain computer program.Even though the program performed well on the test, the
auditor may still have a concern that
a.
The program tested is the same one used in the regular production runs.
b.
Generalized audit software may have been a better tool to use.
c.
Data entry procedures may change and render the test useless.
d.
The test data will not be relevant in subsequent audit periods.44. An auditor most likely would
introduce test data into a computerized payroll system to testinternal controls related to the
a.
Existence of unclaimed payroll checks held by supervisors.
b.
Early cashing of payroll checks by employees.
c.
Discovery of invalid employee I.D. numbers.
d.
Proper approval of overtime by supervisors.45. When an auditor tests a computerized accounting
system, which of the following is true of thetest data approach?
a.
Test data must consist of all possible valid and invalid conditions.
b.
The program tested is different from the program used throughout the year by the client.
c.
Several transactions of each type must be tested.
d.
Test data are processed by the client’s computer programs under the auditor’s control.46. Which
of the following statements is not true to the test data approach when testing acomputerized
accounting system?
a.
The test need consist of only those valid and invalid conditions which interest the auditor
b.
Only one transaction of each type need be tested.
c.
The test data must consist of all possible valid and invalid conditions.
d.
Test data are processed by the client’s computer programs under the auditor’s control.47. Which
of the following is not among the errors that an auditor might include in the test datawhen
auditing a client’s EDP system?
a.
Numeric characters in alphanumeric fields.
b.
Authorized code

Page 13 of 15
AT-030507
c.
Differences in description of units of measure.
d.
Illogical entries in fields whose logic is tested by programmed consistency checks.48. An auditor
who is testing EDP controls in a payroll system would most likely use test data thatcontain
conditions such as
a.
Deductions not authorized by employees.
b.
Overtime not approved by supervisors.
c.
Time tickets with invalid job numbers.
d.
Payroll checks with unauthorized signatures.49. Auditing by testing the input and output of an
EDP system instead of the computer programitself will
a.
Not detect program errors which do not show up in the output sampled.
b.
Detect all program errors, regardless of the nature of the output.
c.
Provide the auditor with the same type of evidence.
d.
Not provide the auditor with confidence in the results of the auditing procedures.50. Which of
the following computer-assisted auditing techniques allows fictitious and realtransactions to be
processed together without client operating personnel being aware of thetesting process?
a.
Integrated test facilityc. Parallel simulation
b.
Input controls matrix d. Data entry monitor51. Which of the following methods of testing
application controls utilizes a generalized auditsoftware package prepared by the auditors?
a.
Parallel simulationc. Test data approach
b.
Integrated testing facility approach d. Exception report tests52. Misstatements in a batch
computer system caused by incorrect programs or data may not bedetected immediately because
a.
Errors in some transactions may cause rejection of other transactions in the batch.
b.
The identification of errors in input data typically is not part of the program.
c.
There are time delays in processing transactions in a batch system.
d.
The processing of transactions in a batch system is not uniform.53. Which of the following is not
a characteristic of a batch processed computer system?
a.
The collection of like transactions which are sorted and processed sequentially against amaster
file.
b.
Keypunching of transactions, followed by machine processing.
c.
The production of numerous printouts.
d.
The posting of a transaction, as it occurs, to several files, without immediate printouts.54. Where
disk files are used, the
grandfather-father-son
updating backup concept is relativelydifficult to implement because the
a.
Location of information points on disks is an extremely time consuming task.
b.
Magnetic fields and other environmental factors cause off-site storage to be impractical.
c.
Information must be dumped in the form of hard copy if it is to be reviewed before used
inupdating.
d.
Process of updating old records is destructive.55. An auditor would most likely be concerned
with which of the following controls in a distributeddata processing system?
a.
Hardware controlsc. Access controls
b.
Systems documentation controls d. Disaster recovery controls56. If a control total were
computed on each of the following data items, which would best beidentified as a hash total for a
payroll EDP application?
a.
Total debits and total credits c.Department numbers
b.
Net pay d. Hours worked57. Which of the following is a computer test made to ascertain whether
a given characteristicbelongs to the group?
a.
Parity check c. Echo check
b.
Validity checkd. Limit check

Page 14 of 15
AT-030507
58. A control feature in an electronic data processing system requires the central processing
unit(CPU) to send signals to the printer to activate the print mechanism for each character.
Theprint mechanism, just prior to printing, sends a signal back to the CPU verifying that the
properprint position has been activated. This type of hardware control is referred to as
a.
Echo checkc. Signal control
b.
Validity control d. Check digit control59. Which of the following is an example of a check digit?
a.
An agreement of the total number of employees to the total number of checks printed by
thecomputer.
b.
An algebraically determined number produced by the other digits of the employee number.
c.
A logic test that ensures all employee numbers are nine digits.
d.
A limit check that an employee’s hours do not exceed 50 hours per work week.60. In a
computerized system, procedure or problem-oriented language is converted to machinelanguage
through a(an)
a.
Interpreter b. Verifierc. Compilerd. Converter61. A customer erroneously ordered Item No.
86321 rather than item No. 83621. When this orderis processed, the vendor’s EDP department
would identify the error with what type of control?
a.
Key verifying c. Batch total
b.
Self-checking digitd. Item inspection 62. The computer process whereby data processing is
performed concurrently with a particularactivity and the results are available soon enough to
influence the course of action being takenor the decision being made is called:
a.
Random access samplingc. On-line, real-time system
b.
Integrated data processing d. Batch processing system63. Internal control is ineffective when
computer department personnel
a.
Participate in computer software acquisition decisions.
b.
Design documentation for computerized systems.
c.
Originate changes in master file.
d.
Provide physical security for program files.64. Test data, integrated test data and parallel
simulation each require an auditor to prepare dataand computer programs. CPAs who lack either
the technical expertise or time to prepareprograms should request from the manufacturers or
EDP consultants for
a.
The program Codec. Generalized audit software
b.
Flowchart checks d. Application controls65. Which of the following best describes a
fundamental control weakness often associated withelectronic data processing system?
a.
EDP equipment is more subject to system error than manual processing is subject tohuman error.
b.
Monitoring is not an adequate substitute for the use of test data.
c.
EDP equipment processes and records similar transactions in a similar manner.
d.
Functions that would normally be separated in a manual system are combined in the EDPsystem
like the function of programmers and operators.66. Which of the following tasks could not be
performed when using a generalized audit softwarepackage?
a.
Selecting inventory items for observations.
b.
Physical count of inventories.
c.
Comparison of inventory test counts with perpetual records.
d.
Summarizing inventory turnover statistics for obsolescence analysis.67. All of the following are
“auditing through the computer” techniques except
a.
Reviewing source codec. Automated tracking and mapping
b.
Test-decking d. Integrated test facility68. The output of a parallel simulation should always be
a.
Printed on a report.
b.
Compared with actual results manually.
c.
Compared with actual results using a comparison program.
d.
Reconciled to actual processing output.

Page 15 of 15
AT-030507
69. Generalized audit software is a computer-assisted audit technique. It is one of the widely
usedtechnique for auditing computer application systems. Generalized audit software is most
oftenused to
a.
Verify computer processing.
b.
Process data fields under the control of the operation manager.
c.
Independently analyze data files.
d.
Both a and b.70. From an audit viewpoint, which of the following represents a potential
disadvantage associatedwith the widespread use of microcomputers?
a.
Their portability.
b.
Their ease of access by novice users.
c.
Their easily developed programs using spreadsheets which do not have to be documented.
d.
All of the above.71. Which of the following functions would have the least effect on an audit if it
was not properlysegregated?
a.
The systems analyst and the programmer functions.
b.
The computer operator and programmer functions.
c.
The computer operator and the user functions.
d.
The applications programmer and the systems programmer.72. To obtain evidence that user
identification and password control procedures are functioning asdesigned, an auditor would
most likely
a.
Attempt to sign on to the system using invalid user identifications and passwords.
b.
Write a computer program that simulates the logic of the client’s access control software.
c.
Extract a random sample of processed transactions and ensure that the transactions
wereappropriately authorized.
d.
Examine statements signed by employees stating that they have not divulged their
useridentifications and passwords to any other person.
SUGGESTED ANSWERS
1. D2. D3. D4. D5. D6. D7. D8. D9. A10. D11. B12. B13. A14. D15. A16. D17. D18. A19. B20.
A21. D22. B23. A24. A25. D26. C27. A28. D29. D30. A31. A32. A33. C34. C35. A36. B37.
A38. C39. C40. D41. D42. D43. A44. B45. A46. A47. B48. B49. D50. D51. A52. D53. D54.
D55. D56. D57. D58. D59. D60. D61. D62. A63. CQUIZZERS 1. B2. C3. D4. C5. C6. D7. C8.
D9. D10. B11. B12. D13. B14. B15. D16. C17. A18. A19. B20. B21. C22. C23. D24. D25. A26.
B27. B28. A29. B30. A31. D32. D33. D34. A35. A36. C37. B38. C39. D40. C41. B42. B43.
A44. C45. D46. C47. A48. C49. A50. A51. A52. C53. D54. D55. C56. C57. B58. A59. B60.
C61. B62. C63. C64. C65. D66. B67. A68. B69. C70. B71. D72. A
- end of AT-5916
CIS Auditing
IS Auditing Objectives
Understanding the CIS environment
The effect of computerization in general and on internal controls
Types of general & application controls used in CIS processes
The audit process in a CIS environment

To know the techniques of auditing using CAATs
UNDERSTANDING THE CIS ENVIRONMENT 1
This first part outlines the following:
 The CIS Environment

 Risk Assessment of the CIS Environment
 The CIS and Accounting System – characteristics of application systems vs manual
processes
CIS Environment
CIS audit digram
 Identify the computerized environment.

 Extent of computerization in the organization.
 The pervasiveness of computerization.
 CIS as part of the organizational infrastructure.
 Importance of the CIS in the organization.
 Management’s view of the CIS environment.
Analyzing the CIS Environment
Risk Assessment of the CIS Environment
 Identify the business processes, criticality.

 The automation of business processes.
 To identify where should there be control points.
 To analyze processes against internal control.
 Effectiveness of internal control.
 Benefits of internal control.
 Efficiency of operations.
Risk Management Overview
Risk management is the process of ensuring that the impact of threats exploiting vulnerabilities is
within acceptable limits at an acceptable cost. At a high level, this is accomplished by balancing
risk exposure against mitigation costs and implementing appropriate countermeasures and
controls.
Extracted from CISM Review Course, 2005
Risk is a feature of business life and since it is impractical and uneconomical to eliminate all
risks, every organization has a level of risk it will accept.
Faced with risk, organizations have four strategic choices:
 Terminate the activity giving rise to risk

 Transfer risk to another party
 Reduce risk by using of appropriate control measures or mechanisms
 Accept the risk
Risk Analysis Framework
Risk Management Process – main elements
– Establish context
– Identify risks
– Analyze risks
– Evaluate risks
– Treat risks
– Monitor and Review
– Communicate and consult
Understanding the CIS Environment
CIS, Financial Management Systems or Integrated Accounting Systems
 What are the CIS application systems available.

 How does management utilizes CIS.
 On a daily or monthly basis, for decision-making.
 For financial reporting, performance measurement.
 Effectiveness of the various application systems’ integration.
Characteristics of computerized accounting system
Financial Management Systems
Monitoring, Controlling, Reporting
& Decision Making
Sales, Purchasing, Inventory
Marketing
Acc Payable
Acc Receivable
Bad Debts
Depreciation
P&L
CIS Processing – operational source of data, e.g transaction records, customer records, inventory
records,
 Recording of transactions and records

 Processing of such records
 Producing documents such as invoices, receipts
 Recording financial data
 Reporting status of transactions and records
CIS Processing – results of operations or administrative accounting in accordance with

accounting policies and procedures
 Lack of physical documentation, source records for transactions (audit trail)

 Lack of evidence on supervisory check / verification processes
 Issues in storage and retrieval of transactional records
 Changes in processing, storage and communication of financial data
2 v 2 Lecture Objectives
THE EFFECT OF CIS IN GENERAL AND ITS IMPACT ON INTERNAL CONTROL 2
This first part outlines the following:
 Internal Control
 The Internal Control Environment
 Impact of CIS on Internal Control
Internal Control
DEFINITION
Internal control is a company’s system, defined and implemented under its responsibility.
It comprises a set of resources, patterns of conduct, procedures and actions adapted to the
individual characteristics of each company which:
 contributes to the control over its activities, to the efficiency of its operations and to
the efficient utilization of its resources, and
 enables it to take into consideration, in an appropriate manner, all major risks, be
they operational, financial or compliance.
COSO1 defines internal control as: “A process, effected by an organization’s board of directors,
management, and other personnel, designed to provide reasonable assurance regarding the
achievement of objectives in the following categories:
• Effectiveness and efficiency of operations.
• Reliability of financial reporting.
• Compliance with applicable laws and regulations.”

Internal control is a company’s system, defined and implemented under its responsibility,
which aims to ensure that:
 Laws and regulations are complied with;

 The instructions and directional guidelines fixed by Executive Management or the
Management Board are applied;
 The company’s internal processes are functioning correctly, particularly those implicating
the security of its assets;
 Financial information is reliable;
and generally, contributes to the control over its activities, to the efficiency of its operations
and to the efficient utilisation of its resources. Internal Control Framework:
IIA Website
COSO Internal Control Integrated Network
Internal Control Components
 An organisation comprising a clear definition of responsibilities, with suitable resources

and competencies and supported by appropriate procedures, information systems, tools
and practices;
 The in-house dissemination of relevant and reliable information, the awareness of

which enables everyone to exercise their responsibilities;
 A system for identifying and analysing the main identifiable risks in relation to the
company s objectives and for ensuring that procedures exist for managing those risks;
Risk identification
 The company identifies the main identifiable risks, both internal and external, which
could have an impact on the likelihood of it meeting the objectives it has fixed for itself.
This identification process, which is on-going, should cover those risks which could have
a significant impact on its situation.
Risk analysis
 This involves taking into consideration the likelihood of the risks occurring and their
potential seriousness, as well as considering the environment and existing control
measures. These different
 elements are not static, on the contrary, they form part of the risk management process.
Risk management procedures
 Executive Management or the Management Board, supported by a risk management

function, if there is one, should define risk management procedures.
Control activities proportionate to the implications of each individual process and designed to
reduce the risks that could affect the company s ability to achieve its objectives;
Nature of Control vs Impact
 On-going monitoring of the internal control system together with a regular review of the
way it is operating.
COSO Monitoring Process
 Another useful complement to the monitoring tools can be to keep an active watch on
internal control best practices.
 Monitoring, together with the best practices watch, culminate, where required, in the
implementation of corrective actions and adjustments to the internal control system.
 Executive Management or the Management Board should assess the parameters for
informing the Board of the main results of the monitoring and reviews thus performed.
Interrelationships of CobiT
Controls in CIS Environment
Impact on Internal Control environment
An example of impact of Internal Control in CIS would be the application of IT Controls.
IT Control Components
The audit process provides a formal structure for addressing IT controls within the overall
system of internal controls. Figure 1, The Structure of IT Auditing, below, divides the assessment
into a logical series of steps.
The internal auditor’s role in IT controls begins with a sound conceptual understanding and
culminates in providing the results of risk and control assessments.
Internal auditors interact with the people responsible for controls and must pursue continuous
learning and reassessment as new technologies emerge and the organization’s opportunities,
uses, dependencies, strategies, risks, and requirements change.
Assessing IT Controls GTAG1
IT Control Components
IT controls encompass those processes that provide assurance for information and information
services and help mitigate the risks associated with an organization’s use of technology.
These controls range from written corporate policies to their implementation within coded
instructions; from physical access protection to the ability to trace actions and transactions to the
individuals who are responsible for them; and from automatic edits to reasonability analysis for
large bodies of data.
IT Controls
BUSINESS AND IT CONTROLS
The enterprise’s system of internal controls impacts IT at three levels:
 At the executive management level, business objectives are set, policies are established
and decisions are made on how to deploy and manage the resources of the enterprise to
execute the enterprise strategy. The overall approach to governance and control is
established by the board and communicated throughout the enterprise. The IT control
environment is directed by this top-level set of objectives and policies.
 At the business process level, controls are applied to specific business activities. Most
business processes are automated and integrated with IT application systems, resulting in
many of the controls at this level being automated as well. These controls are known as
application controls.
 However, some controls within the business process remain as manual procedures, such
as authorisation for transactions, separation of duties and manual reconciliations.
Therefore, controls at the business process level are a combination of manual controls
operated by the business and automated business and application controls.
 To support the business processes, IT provides IT services, usually in a shared service to

many business processes, as many of the development and operational IT processes are
provided to the whole enterprise, and much of the IT infrastructure is provided as a
common service (e.g., networks, databases, operating systems and storage). The controls
applied to all IT service activities are known as IT general controls. The reliable
operation of these general controls is necessary for reliance to be placed on application
controls. For example, poor change management could jeopardise (accidentally or
deliberately) the reliability of automated integrity checks.

TYPES OF CONTROL IN A CIS ENVIRONMENT 3
This third part outlines the following:
 Types of Control in CIS Environment

 General Controls
 Application Controls
Controls in CIS Environment
In a CIS Environment, there are generally 2 categories of controls, General CIS Environmental
Controls and Application System Controls
Firstly, these controls are to address the computerized environment and secondly, there are
specific controls to address the different business applications in such an environment.
General Controls in CIS Environment
These are usually defined as:
 Data Centre or Computer Operations controls

 System Development controls
 System Security controls (access security)
 General Application System / Software controls; acquisition, development and
maintenance
 The objective is to ensure Confidentiality, Integrity and Availability of information.
General Controls in CIS Environment
Data Centre or Computer Operation Controls
These are primarily controls that relate to data processing security and controls. These controls
relate to the security of the data centre, batch processing of data, backups and custody of storage
media. It is also important that such an environment is not accessed by unauthorized persons
such as programmers and hackers as this could compromised the data integrity.
Software Development Controls
These are controls that ensure all program changes are duly authorized. Unauthorized changes
can be due to attempts to defraud by exempting accounts from being processed or processed in
an improper manner, inconsistent with authorized policies and procedures.
System Security Controls (Access Security)

These are controls that provides privileges or rights of access to specific individual or group of
persons in accordance with their tasks and job functions. Improper assignment of such access
rights can result in unauthorized access to data and other information and resources.
System Security Controls (Access Security)
Access Security Control
These include physical protection of computer equipment, software and data and also loss of
assets and information through theft and unauthorised use. For example, special room for
computer and equipments or separate building and accessible to the room or building must be
limited to the authorised personnel only. Also includes recovery procedures for lost data.
Example: Financial Institutions.
Application Software Development, Acquisition and Maintenance Controls
These are controls that ensure any software acquired to be of specific standards for integration
and installation purposes into the current systems. Any non-compliance may result in
incompatible software acquired or failure of integration.
Application system acquisition, development and maintenance controls
Application system; for example an accounting system for reporting and decision-making.
Controls on these is critical for ensuring the reliability of information processing. It might be
better to have involvement of internal and external auditors in early stage to design the system to
ensure proper control incorporate to the system.
 Controls over input – source or primary data

 Controls over processing – processing data and updating masterfiles.
 Control over output – results of processing or updating, e.g. change in total, balances,
transactions.
The objective is to ensure or preserve data integrity.
Input Controls
These are usually controls over source documents and can be in both physical and virtual forms.
Physical would be in form of restricted access or custody, serially pre-numbered, controlled
items. Virtual can be that upon keying in the systems assigns unique identification codes,
transaction codes, etc.
Input Controls
To ensure the following:
 To ensure the transactions properly authorised before being processes by the computer.
 To ensure transactions are accurately converted into machine readable form and recorded
in the computer data files.
 To ensure the transactions are not lost, added, duplicated and modified.
 To ensure incorrect transactions are rejected, corrected and re-submit.
Processing Controls
These controls are in form of e.g. batch numbers, control totals, hash totals, hash count, system
assigned prefixes or suffixes to transaction numbers. These controls will ensure that there are no
unauthorized or fraudulent transactions ‘inserted’ in the output or transaction listings.
Processing Controls
Control over processing and computer data files
 To ensure that all transactions keyed in are being processed by the computer and
data files are properly stored and secured.
 Processing errors are identified and corrected in a timely basis.
Output Controls
These are similar to processing controls but they are for output purposes to ensure accuracy and
reliability of data generated. With the output reports or listings generated or output files, there
will be similar processing checks in form of control totals, hash counts, suffixes, integrity
identifier codes generated.
Output Controls
Designed to provide reasonable assurance that:-
 Result of processing are accurate

 Access to output is restricted to authorised personnel
 Output is provided to appropriate authorised personnel on a timely basis
Issuing of Purchase Requisition to Acccepting the Purchase Invoice
– Segregation of duties between the user department ordering the goods, the goods received
department, the procurement department and the accounts department
– Before issuing the purchase order, the buying department should check that the user
department is authorised to purchase the goods that have requested.
– Goods are only purchased from authorised supplier. If it is a new supplier, validation of
that supplier should be done before the order.
Issuing of Purchase Requisition to Acccepting the Purchase Invoice cont’d
– Must be independent check from buying department on the quality, price and service of
the supplier.
– The purchase order should be keyed into computer by procurement department, sent to
supplier, user department and accounts department.
– Accounts department upon receipt of purchase invoice, match with purchase order.
– User department check the goods against requisitions and specifications.
Business, General & Application Controls
Application Controls Versus IT General Controls
 It is important to understand the relationship and difference between application controls

and Information Technology General Controls (ITGCs).
 Otherwise, an application control review may not be scoped appropriately, thereby

impacting the quality of the audit and its coverage.
 ITGCs apply to all systems components, processes, and data present in an organization or
systems environment.
 The objectives of these controls are to ensure the appropriate development and
implementation of applications, as well as the integrity of program and data files and of
computer operations.
Information Technology General Controls
The most common ITGCs are:
 Logical access controls over infrastructure, applications, and data.

 System development life cycle controls.
 Program change management controls.
 Physical security controls over the data center.
 System and data backup and recovery controls.
 Computer operation controls
Difference
 Because application controls relate to the transactions and data pertaining to each
computer-based application system, they are specific to each individual application.
 The objectives of application controls are to ensure the completeness and accuracy of
records, as well as the validity of the entries made to each record, as the result of program
processing.
 In other words, application controls are specific to a given application, whereas ITGCs
are not.
Nature of Application Controls
 Cost effective and efficient means to manage risk
 Reliant on the effectiveness on the IT general control environment
 Approach varies for complex versus non-complex environments
Benefits of Application Controls
 Reliability
– Reduces likelihood of errors due to manual intervention
 Benchmarking
– Reliance on IT general controls can lead to concluding the application controls are
effective year to year without re-testing
 Time and cost savings
– Typically application controls take less time to test and only require testing once as long as
the IT general controls are effective
Sample Detailed Review Program
 Suggested tests
– Test input controls to ensure transactions are added into and accepted by the application,
processed only once and have no duplications
– Test processing controls to ensure transactions are accepted by the application, processed
with valid logic, carried through all phases of processing and updated to the correct data files
Conclusion
 Application controls are a cost effective and efficient means to manage risk.
 Internal auditors should determine that their organization’s application controls are
designed appropriately and operating effectively.
 Consider benchmarking as a way to further reduce the testing effort
AUDITING IN A CIS ENVIRONMENT 4
This fourth part outlines the following:
 How does the CIS Environment affects auditing

 Auditor’s skill and competency
 Risk assessment
 Audit planning
 Audit procedures
AUDIT APPROACH
Auditing takes place usually after the risk analysis or evaluation and the implementation of
internal controls.
The purpose is to ensure that all risks are adequately addressed, shortcomings and weaknesses
are duly reported on continuous basis.
Identified and understood the environment.

What are the risks and controls in such an environment?
What are the specific application controls in such an environment?
To review such risks and controls and plan an audit.
Auditing in CIS environment
 The auditor need to consider how CIS environment affects the audit. The overall audit
objective and scope does not change but the use of CIS have changed the processing,
storage and communication of financial information and also may affect internal control
of an entity.
 CIS may affect the audit process on the following:
– Skill and Competence
– Planning
– Risk assessment, i.e. assessment of inherent risk and control risk
– Audit procedures
 Procedures in obtaining understanding accounting and internal control, i.e. audit around
computer.
 Performing test of control and substantive test, i.e. audit through computer.
AUDIT SKILL & COMPETENCY
Skill and Competence
 Auditor should have sufficient knowledge of CIS to plan, direct, supervise and review
work performed. The auditor needs:-
1. Obtain sufficient understanding of the accounting and internal control affected by the CIS
environment
2. Determine the effect of CIS on the procedures to assess the audit risk
3. Able to design and perform appropriate test of control and substantive test
4. If required, auditor may seek for assistance of the expert.
 In addition, according to The IIA’s International Standards for the Professional Practice
of Internal Auditing (Standards) —specifically Standards 1220 and 1210.A3 — internal
auditors need to apply the care and skill of a reasonably prudent and competent auditor,
as well as have the necessary knowledge of key IT risks, controls, and audit techniques to
perform their assigned work, although not all internal auditors are expected to have the
expertise of an auditor whose primary responsibility is IT.
Design of Controls
 Another valuable service internal auditors can provide during a new system
implementation or significant upgrade is an extension of the independent risk assessment.
 More specifically, auditors can assist management with the design of controls to mitigate
the risks identified during the risk assessment. The internal auditors assigned to this
activity should be a part of the implementation team, not an adjunct.
 Therefore, the tasks, time, and number of internal audit resources required for the design
of application controls need to be built into the overall project plan.
Controls Testing
 If the implementation team has designed and deployed controls based on the risk
assessment, or without the benefit of one, internal auditors can provide value by
independently testing the application controls.
 This test should determine if the controls are designed adequately and will operate
effectively once the application is deployed. If any of the controls are designed
inadequately or do not operate effectively, auditors should present this information along
with any recommendations to management to prevent the presence of unmanaged risks
when the application is fully deployed.
Application Reviews
 Transactional and support applications require control reviews from time to time based
on their significance to the overall control environment. The frequency, scope, and depth
of these reviews should vary based on the application’s type and impact on financial
reporting, regulatory compliance, or operational requirements, and the organization’s
reliance on the controls within the application for risk management purposes.
AUDIT RISK ASSESSMENT
Assess Risk
 The auditor should use risk assessment techniques to identify critical vulnerabilities
pertaining to the organization’s reporting, and operational and compliance requirements
when developing the risk assessment review plan.
These techniques include:
• The review’s nature, timing, and extent.
• The critical business functions supported by application controls.
• The extent of time and resources to be expended on the review.
In addition, auditors should ask four key questions when determining

the review’s appropriate scope:
1. What are the biggest organization wide risks and main audit committee concerns that
need to be assessed and managed while taking management views into account?
2. Which business processes are impacted by these risks?
3. Which systems are used to perform these processes?
4. Where are processes performed
 When identifying risks, auditors may find it useful to employ a top-down risk assessment
to determine which applications to include as part of the control review and what tests
need to be performed.
 For instance, Figure 1 outlines an effective methodology for identifying financial
reporting risks and the scope of the review. Please note this illustration does not represent
the only way to conduct all types of risk assessment.
Risk Assessment
The nature of the risk in CIS environment includes:-
n Lack of transaction trail. Audit trail may available for the short period or not in the form
of computer readable form. Or if the transaction is too complex and high volume, errors may
embedded in application’s program logic and difficult to detect on a timely basis.
n Lack of segregation of duties. Many of control procedures are performed by separate
individual in manual systems but may not in CIS.
n Potential for errors and irregularities. Potential for human error and unable to detect the
error may be greater in CIS. Also the potential of unauthorised access to data without visible
evidence may be greater in CIS than manual system. Furthermore, decreased human involvement
in handling transaction in CIS can reduce “check and balance” activities that may cause error
unable to detect.
Risk Assessment
The nature of the risk in CIS environment includes:-
Initiation or execution of transaction. CIS may have capabilities to execution transaction

automatically. For example calculation of depreciation. The authorization for transaction is not
available.
Lack of visible output. Certain transaction or result may not be printed. Thus, the lack of
visible output may result in the need to access data retained on files readable only by computer.
Ease of access to data and computer programs. Data and computer programs can be accessed
and altered at the computer or from the remote location. Therefore, auditor should review the
appropriate control measure to prevented unauthorised access and alteration of the data.
What can go wrong?
Availability, security, integrity, confidentiality, effectiveness and efficiency
 Type of risks
– Pervasive: impact the enterprise as a whole
– Specific risks
 Consider three dimensions
– Each company will have a unique risk profile
– IT-related risk is not static , but changing dynamically
– Proliferation: when evaluating IT-related risk, keep in mind its additive nature
 Consider impact and likelihood

 Traditional risk assessment process may not be suitable for IT risk assessment
 IT Risk assessment process should
– Be performed in depth every year, not just an update of the prior year.
– Considers all the layers of the IT environment.
– Considers both static and dynamic risks.
– Not strictly be based on interviews, but use other discovery techniques.
– Be supplemented with the appropriate level of analysis after discovery.
– Be performed by the appropriate personnel.
AUDIT PLANNING
 After completing the risk evaluation and determining the scope of the review, auditors
need to focus on the development and communication of the detailed review plan. The
first step in developing the detailed review plan is to create a planning memorandum that
lists the following application control review components:
• All review procedures to be performed.

• Any computer-assisted tools, techniques used & how they are used.
• Sample sizes, if applicable.
• Review items to be selected.
• Timing of the review.
 When preparing the memorandum, all of the required internal audit resources need to be
included on the planning team. This is also the time when IT specialists need to be
identified and included as part of the planning process.
 After completing the planning memorandum, the auditor needs to prepare a detailed
review program. When preparing the review program, a meeting should be held with
management to discuss:
• Management’s concerns regarding risks.
• Previously reported issues.
• Internal auditing’s risk and control assessment.
• A summary of the review’s methodology.
• The review’s scope.
• How concerns will be communicated.
Planning
In Planning, auditor should obtain an understanding the significance and complexity of CIS
activities and the availability of data for use in the audit. The understanding include:-
1.
1. The volume of transaction that would make users difficult to identify and correct
errors.
2. The computer automatically generates transactions direct from/to another
application. Example: From production department automatically inventory
information.
3. The Computer performs complicated computations of financial information.
4. Transactions are exchanged electronically with other organization.
5. Organization structure of entity also may changed. For example: IT department as part of the
structure and responsible for control application of CIS as a whole.
6. The availability of data such as source document, computer data files and other evidential
matter that may required by the auditor.
1.
1. The assessment of risk. The auditor should obtain an understanding of CIS
environment may influence the assessment of inherent and control risk.
2. The potential for use of CAATs. The case of processing large quantities of data
using computers may provide the auditor with opportunity to apply general or
specialized CAAT in execution of audit test.
AUDIT PROCEDURES
Business Process Method
 In the previous chapter, the business process method was identified as being the most
widely used for application control review scoping. In today’s world, many transactional
applications are integrated into an ERP system. Because business transactions that flow
through these ERP systems can touch several modules along their life cycle, the best way
to perform the review is to use a business process or cycle approach (i.e., identifying the
transactions that either create, change, or delete data within a business process and, at a
minimum, testing the associated input, processing, and output application controls).
Documentation Techniques
 In addition to the documentation standards used by internal auditors, the following are
suggested approaches for documenting each application control.
Flowcharts
 Flowcharts are one of the most effective techniques used to capture the flow of
transactions, associated application and manual controls used within an end-to-end
business process, because they illustrate transaction flows.
Process Narratives
 Process narratives are another technique available to document business process

transaction flows with their associated applications & best used as a documentation tool
for relatively non-complex business processes and IT environments.
Audit procedures
The auditor’s specific objective do not change whether the accounting
data is processed manually or by the computer. However, method of
applying audit procedures to gather evidence may different. Auditor

may perform audit procedures manually or use CAAT or combination of both.
Auditing around the computer
Auditor does not examine the computer processing but perform
procedures to obtain understanding accounting and internal control:-
 Emphasis on ensuring the completeness, accuracy and validity of
information by comparing the output reports with the input documents
 To ensure the effectiveness of input controls and output controls

 To ensure the adequacy of segregation of duties
 Auditing through the computer
– Auditor performing test of control and substantive test. For example: “test data” enable the
auditor to examine the computer processing, internal control of the client CIS.
– Auditor may used use CAAT in this procedures. CAAT – helps auditor in organizing,
analyzing and extracting computerized data and re-performing computation and other
processing.
Executing IT Auditing
 Normal Audit process
 Consider IT audit by using frameworks and standards, such as
– COSO, CoBIT, ISO27001/17799…
COMPUTER AS AN AUDIT TOOL AND COMPUTER-ASSISTED AUDIT

TECHNIQUES 5
This part outlines the following:
 The use of the computer as an audit tool

 Audit software purpose
 Factors to consider upon choosing one
 Audit software: off-the-shelf or development of such software?
 Using Audit software
The use of computer as an Audit Tool
Auditor take laptops to the client’s premises for use as an audit tool to perform various audit
task, such as:-
1.
1. Spreadsheets
 Trial balance and lead schedule

 Time and cost budgeting
 Analytical procedures
 Audit documentation, e.g. audit confirmation
 Audit programme preparation
 Documentation of internal control – Preparation of flowchart
 Communication and Reports
 Select sample for testing
 Analyse result, by means of explanation to population as a whole
1.
1. Word processor
1.
1. Statistical Packages
1.
1. CAATs
Computer-assisted Audit Techniques
 Computer-assisted audit techniques (CAATs) make use of computer applications, such as

ACL, IDEA, VIRSA, SAS, SQL, Excel, Crystal Reports, Business Objects, Access, and
Word, to automate and facilitate the audit process. The use of CAATs helps to ensure that
appropriate coverage is in place for an application control review, particularly when there
are thousands, or perhaps millions, of transactions occurring during a test period.
 In these situations, it would be impossible to obtain adequate information in a format that
can be reviewed without the use of an automated tool.
 Because CAATs provide the ability to analyze large volumes of data, a well-designed
audit supported by CAAT testing can perform a complete review of all transactions and
uncover abnormalities (e.g., duplicate vendors or transactions) or a set of predetermined
control issues (e.g., segregation of duty conflicts).
Using CAATs – IS Auditing Guideline G3
 CAATs include many types of tools and techniques, such as generalised audit software,
customised queries or scripts, utility software, software tracing and mapping, and audit
expert systems.
 CAATs may be used in performing various audit procedures including:
• Tests of details of transactions and balances
• Analytical review procedures
• Compliance tests of IS general controls
• Compliance tests of IS application controls
• Penetration testing
 Decision Factors for Using CAATs

 When planning the audit, the IS auditor should consider an appropriate combination of
manual techniques and CAATs. In determining whether to use CAATs, the factors to be
considered include:
 Computer knowledge, expertise, and experience of the IS auditor
 Availability of suitable CAATs and IS facilities
 Efficiency and effectiveness of using CAATs over manual techniques
 Time constraints
 Integrity of the information system and IT environment
 Level of audit risk
Pre-requisites of Using CAATs
Connectivity and Access to Data

The first prerequisite for using audit software is access to data. The auditor needs to obtain
access to the “live” production data.
The auditor then needs to obtain “read only” access to the files/tables that hold the data and can
transfer the data files to the notebook computer. Once this is done, the audit software can use the
data files and perform the audit. It is necessary to ensure that the data that are downloaded are
the actual copy from the real production data.
Knowledge of the Application and Data
The IS auditor needs to know technical details of the platform on which the application is built.
Knowledge of the files or tables in which the data reside also is necessary.
The auditor needs to get the file description and the data field types. If certain codes are used in
the tables, the corresponding description of the codes also needs to be known.
Audit Skills and Identifying the Concerns

After the data are downloaded and ready for analysis by the audit software, the auditor needs to
know what control concerns are to be tested and validated.
This is probably even more basic than the skill needed to download the data. Audit software has
many features but the features cannot perform an audit on their own.
The auditor has to design the procedures and tests. The tests that the auditor carries out are
designed using the knowledge of the application, the business rules behind the function and the
findings of the application review.
The kind of tests that are run will vary with the applications.
For example, in a procurement audit, the auditor may download the purchase order and related
files and perform analysis of prices.
In a financial accounting application, the auditor may analyze expenses on dollar value, revenue
expenditure, account head, and department or cost code.
In a banking application, the auditor may verify interest payments using the audit software.
In a sales application, the correctness of product prices or incentives may be analyzed.
It is the audit skill of determining what is to be verified and tested, coupled with the knowledge
of the business and the application, that makes the software actually do the audit work.
Issues
 The first-time deployment of audit software in any organization is not without pain.
Problems will occur in almost all areas, beginning with the reluctance of the IS staff.
 Following this are obtaining access to the production data, fearing that the audit software
may interfere with the processing, the improper processing of downloads, the incorrect
input of file definitions and so on.
 Investing in training on the audit software is essential and this cost should be considered
while purchasing the software. The training should not be confined to the commands and
menus in the software but must include real-life exercises using one of the applications
running in the organization.
 It also would help if the trainer is not strictly an IT person, but has some audit
background, too. Although the first attempt at using audit software is painstaking, there
need be no doubts on the benefits and gains of continued deployment, so the need is to
persevere and win through the initial difficulties with help from the IS department and the
trainer.
Computer-Assisted Audit Techniques (CAATs)
 ISA 401 “Auditing in a CIS Environment” discusses some of the uses of CAATs in the
following condition:-
– The absence of input document or lack of visible audit trail
– The effectiveness of efficiency of auditing procedures may be improved through the use of
CAATs.
 Normally being used by big auditing firm for the their big clients.
 Common type of CAATs are “Audit Software” and “Test Data”.
 Audit Software: computer programs used for audit purposes to examine the contents of
the client’s file.
Audit software are used during substantive testing to determine the reliability of accounting
controls and integrity of computerised accounting records. Typical testing includes:-
– Calculation checks, check addition, select high value, negative value
– Detecting violation of system rules – e.g. the program checks all accounts on sales ledger
to ensure that no customer has a balance above credit limit
– Detecting unreasonable items – e.g. check that no customers are allowed trade discount of
more than 50%
– Conducting new calculations and analyses – e.g. obtain analysis of static and slow moving
stocks
– Selecting items for audit testing – e.g. obtain the sample to sent confirmation.
– Completeness checks – e.g. checking continuity of sales invoices to ensure they are all
accounted for.
 Factors that the auditor to consider in deciding whether to use CAATs:-
– If no visible evidence available and the only way is CAATs
– Cost that associated with CAATs
– The extent of the ability of CAATs to perform test on various financial statements items.
– Time. Report need to be produced by the auditors within comparatively short time period.
In such cases it may be more efficient to use CAATs.
– The condition of hardware (computer) and the ability to support CAATs.
 Audit Software
– Package Programs or Generalised Audit Software (GAS)
– Written Programs or Custom Audit Software.
 Audit Software (Continue……):
– Package programs are generalized computer programs designed to perform data processing
functions such as read and extract data from entity’s computer files or database for further audit
testing, perform calculation, selecting sample and provide report.
– For example, application of package program on Account Receivables.
 1st step: Set audit objectives, i.e. to test accuracy of AR, select sample for confirmation
and print out confirmation and monthly statement of selected sample.
 2nd Step: Design the application, i.e. identify data and design format of confirmation.
 3rd Step: Ensure package program able to read data
 4th Step: Process the application, i.e. access the entity’s AR database with package
program. The program will process automatically according to the instruction
 5th Step: Evaluate the result. i.e. verify output, review confirmation letter and monthly
statement and sent confirmation.
 Audit Software (Continue……):
– Written program is audit software written by the auditors for specific audit tasks and it is
necessary when the entity’s CIS system is not compatible with Generalized Audit Software. It is
good to develop if the auditor can use it in doing auditing for the future. However, it is
expensive, take longer time to develop and need modification for every time an entity’s change
their system. Auditor also need an IT expert to help in developing the program.
 Common type of CAAT are Audit Software and Test Data……

 Test Data: data used by the auditor to test the operation of the enterprise’s computer
program.
– The auditor uses test data primarily for testing the application controls in the entity’s
computer programmes.
– For example: Auditor creates a set of simulated data which include both valid data and
invalid data. Then, the auditor manually calculates the result from the simulated data.
– With the simulation data entered into the entity’s computer program, the valid data should
be properly processed and invalid data should be identified as error. The results are compared to
the auditor’s predetermined result.
– Another example: Unauthorized password may be used in an attempt to gain entry,
transaction with incorrect coding and transaction with non-existing customer or suppliers. These
to ensure that the system is properly rejects invalid transactions
Potential benefit of using CAATs ……
 Audit Time may be saved

 Ability to scrutinize large volume of data
 Eliminate manual casting, cross casting
 Less manual procedures
 The auditor does not necessarily have to be present at client’s office
 Review and finalizing time may be reduced
 With data volumes growing and management expectations on assurances becoming more
specific, random verifications and testing do not yield the desired value. The use of audit
software ensures 100 percent scrutiny of transactions in which there is audit interest, and
pointed identification and zeroing in on erroneous/exceptional transactions, even when
data volumes are huge. And all this can be done in a fraction of the time required with
manual methods.
 Another advantage of the audit software is the uniform user friendly interface that the
audit software presents to the auditor for performing all the tasks, irrespective of the data
formats or the underlying technology used by the application. The audit software also
maintains logs of the tests done for review by peers and seniors, and advanced features
allow the programming of certain macros and routines that can further enhance audit
speeds and efficiency.
OTHER ASPECTS OF IT ASSURANCE, SECURITY & GOVERNANCE
IT Assurance – Performing audit over IT resources
IT Security – Securing IT resources
IT Governance – Understanding and Commitment of the Board and Management
SOURCES
MIA Handbook on International Audit Guidelines
Information Security and Control Association website (http://www.isaca.org)
Institute of Internal Auditors’ website (http://www.theiia.org)

Certified Fraud Examiners Handbook
Federal Reserve website
Information Security sites; SANS, CCCure, etc.
Information Security manuals, standards; NIST, ITIL, CoBIT, IEC/ISO 27001
INTRODUCTION
 Now-a-days, the corporate world is getting more and more inclined towards the use of
Information technology (IT) and computer information system (CIS) in their daily operations.
 This has changed the manner in which the organisations’ carry out their operations and various
business processes.
 This has further led to change in the nature of audit evidences generated by each financial
transaction.
 The method of collection and evaluation of audit evidences has also changed.
 This requires auditors to possess reasonable knowledge about EDI, SDLC, CASE tools and
various hardware & software used in the organisation.
SCOPE OF AUDIT IN CIS ENVIRONMENT / IMPACT OF CIS
ON AUDITING
The use of CIS in various organisations has caused drastic impact on audit approaches,
techniques, risk involved and internal control methods. Following factors (risks) must be given
due consideration while framing an audit plan for an organisation:
1. High speed and Automatic initiation/execution of transactions: In CIS environment,

transactions are processed instantly. Once the transaction is fed into the system, it might get
executed automatically without requiring for authorisation of the same. Similarly, reports
(even complex one’s also) can be generated at a very high speed and can be viewed by
multiple users at a time. Thus giving rise to many security issues.
2. Uniform processing of transaction, hence low clerical error: While feeding input, processing
transactions and generating outputs, computer system performs multiple checks on data at
each at each point of time. Moreover, the processing of transaction is in a uniform manner.
Hence the clerical errors generated are minimised. However, there is a shift of errors from
human generated errors towards system generated errors.
3. Unintentional or system generated errors: As discussed earlier, there is a shift in nature of
errors from human generated to system generated. Errors occur due to lack of experienced
personnel. And errors are mainly related to development, maintenance and execution of CIS.
4. Inexperienced personnel: Now-a-days, the technological advancement is occurring at a very

fast pace. It has created a deficit of expertized staff to understand the current technology,
both at client end as well as auditor end.
5. Concentration of duties: Under CIS environment, more than one kind of task/function can be
performed by an individual. This leads to difficulty in segregation of duties among individual.
Consequently, it gives rise to a number of security issues also.
6. Lack of audit trail: In computerised system, the processing of a transaction takes place
instantly. This leads to loss of audit trail. Thus, auditor needs to apply some alternate
procedure to compensate the loss of audit trial.
<><> <><> <><> <><>

Audit Trail: It can be defined as a step-by-step record by which a transaction can be traced.
The auditor may apply one of the following methods to compensate the loss of audit trail:
i. Special/Exceptional Reports: The auditor may ask the client to arrange special reports
and print-outs. E.g.: sales orders for the month of December & March; purchase orders that
have been short-closed by the purchase department.
ii. Tagging and Tracing:
o It is a method of compensating the audit trail.
o It involves tagging the clients input data such that only relevant data is highlighted on the
screen, which needs to be verified by the auditor.
o E.g.: cash payments of more than ₨.20,000/-; debtors outstanding for more than 3 months;
purchase order pending for more than 30 days from expected delivery date; etc.
iii. Alternative Review Procedures (ARP): It means to include a number of methods to
compensate audit trial, such as:
o Auditors’ judgement: budgeting the figures and comparing them with actual figures.
o Ratio analysis / checking critical ratios. This implies calculating certain ratios on the basis of
budgeted data or previous period’s data or data from similar industries and comparing them
with the actual data of the client organisation.
o Testing on total basis: if individual items can’t be checked in detail then auditor may take
totals of reasonable chunks of data and check accordingly.
o Clerical recreation: Auditor may manually generate certain figures that have been generated
by the system (automatically).
iv. Use of CAAT: The auditor may take the help of white-box audit approach or CAATs.
7. Auditor’s participation in SDLC and dependence on other (manual) controls: We know that
there is a constraint of audit trail in CIS environment. Thus, a computerised information
system lacks manual reasonableness. An information system of an organisation can only be
effective if it has reasonable level of audit facilities integrated into it. Hence participation of
auditor is highly important in SDLC. Moreover, auditor may use certain manual methods also
while performing the audit.
8. Internal Control Environment & management supervision: The success of CIS highly depends
upon the involvement of management in development and maintenance of CIS. Under CIS
environment, the risk of fraud & error is relatively high. Thus higher management supervision
and better internal control environment is required.
9. Use of CAAT: The audit under CIS environment cannot be carried by traditional (manual)
approaches, effectively. Since the processing of transaction in CIS environment is fast and
complicated, the audit must be carried out using computer assisted audit techniques (CAAT).
This requires a reasonably good amount of IT skills on part of the auditors.
IMPACT OF CHANGES ON BUSINESS PROCESS

1. EDI: Electronic Data Inter-change, as the name suggests means exchange of
data/information/documents from one user to another, electronically (with the help of
computers). In other words, EDI is the computer-to-computer exchange of
documents/information in public standard format. Under EDI framework, once transaction
(data) is fed into a computer many records are automatically updated. There is no need to re-
enter the data into accounting system. This saves a lot of time & effort and enables an error
free transaction processing system (TPS).
2. Process of recording transactions: Unlike, manual system where a transaction goes through a
sequence of steps in order to get recorded in the principal books [Entry Ledger Final
Accounts (Balance Sheet and Profit & Loss Account)]. Under CIS environment, the above
mentioned three processes are carried out simultaneously.
3. Accounting / Transaction Processing System: As mentioned above the CIS mechanism leads
to abandonment of maintenance primary records.
<><> <><> <><> <><> <><> <><> <><>

<><> <><> <><> <><>
Batch Processing OLRT / RTOL System Time Sharing & Service Bureau
(Old Concept) (New Concept) (Distinct & New Concept)
o It is a simple system ando OLRT – On-Line / Real-o Time sharing is a situation where a
somewhat like Time. single computer serves more than
traditional manual
system. one user.
o
Under this system
transaction are
o In this process processed as soon aso A service bureau is an organisation
transactions are they occur. which processes transaction on
accumulated and behalf of its client organisation.
processed in groups.
o All the records are

updated simultaneouslyo E.g.: a service bureau handling
o In this files are not on occurrence of a payroll (including ESI/PF) for a
updated quickly. transaction. small company.
o E.g.: Accountanto E.g.: On issue of a Saleso If an organisation uses services of

accumulates all the cash invoice, Sales ledger and a service bureau then the auditor
receipts vouchers for the debtor’s ledger are must obtain reasonable evidences
day and updates his updated, automatically. in support of the controls
accounting record by the exercised by the client
end of a working day. organisation over the activities
performed by service bureau.
o Software packages like
Tally, SAP, etc. works
like this.
o Nowadays, many of accounting
firms are doing this kind of
activities.
4. Data Storage / file system: The data storage facilities and filing system of the organisation has
gone through drastic changes as result of changes in the style of carrying out business
processes.
<><> <><> <><> <><> <><> <><> <><>

<><> <><>
Flat File System (Old Concept) Integrated Database System (New

Concept)
o In few words, in a flat file system, users own theiro In this the transaction is entered only
own data and they are responsible of their once and the data corresponding to
respective data files. such transaction is shared by
multiple users.
o It leads to data redundancy and repetition of tasks.

o It works on client-server technology /
topology.
o E.g.: Try and visualise admission system of a

government college, where you are asked to fill-
up a hand-written form. o It contains a set of interrelated files.
When input is fed from one end, the
master file (server) itself gets
updated. This master file can be
 On the basis of this form, the Admission Officer retrieved by more than one user
makes entry in his register (Book-1) and asks you (clients). Hence reduces data
to deposit the fees with the Cashier. redundancy.
 Now Cashier takes the fees and passes receipto E.g.: A person sitting at sales office
entry in his cash register (Book-2) and issues a issue Sales Invoice to its customer.
Cash Receipt. Under this system master files
related to Sales and Debtors are
automatically updated. The person
sitting in back-office can anytime
 Finally, you present the Cash Receipt to the check the Sales data or outstanding
Admission Officer and he issues you the Admit debtors.
Card and registers your name in Student’s
Register (Book-3).
o This kind of system is mainly used

with On-Line / Real-Time Systems.
 Later on the Accounts Officer will update his own
accounting records (Book-4) on the basis Cash
Book & Students Register maintained by above
mentioned two officers.
o It is evident from above example that how one

simple transaction need to be recorded in 4
separate set of books kept with separate users.
5. Organisational structure: Since there is very high dependence of the organisation of CIS, no-
a-days. Thus, there is a need for separate department (group of people) to take care of IT
needs of the organisation. Some of the personnel are listed below:
i. EDP Manager: is responsible for overall management and administration of the IT

department.
ii. Data Administrator: ascertains the data requirements of various users of information

system in the organisation.
iii. Database Administrator: is responsible for operational efficiency and security of the

organisational database.
iv. System Analyst: takes care of the information requirement of the users for new as

well as existing applications; designs information system architecture to meet these

requirements; facilitates implementation of information systems and maintains
documentation.
v. System Programmers: is responsible for the maintenance of operating system (OS)

software, network and hardware requirements.
vi. Application Programmer: designs new programs and modifies existing to meet the

data processing needs; remove errors and improves efficiency of the existing application
software.
vii. Operation Specialist: plans and controls the day-to-day issues, which emerge during

normal course of work, of the users of information.
viii. Librarian: maintains library of magnetic media and documentation.
6. Modified internal control base: In CIS environment since most of the processes are
automated, the probability of occurrence of error substantially increases. Moreover, the risk
of fraud is higher in CIS environment, as it is less-easily identifiable. Thus, there is a shift in
internal control base in CIS environment as compared to traditional manual system. Following
are two main categories of internal control required in CIS environment:
<><> <><> <><> <><> <><> <><> <><>

<><> <><>
A. General EDP Controls: B. EDP Application Controls:
Overall controls over EDP environment. Specific controls over specific
applications.
i. Organisational & Management Controls: These i. Control Over Inputs: These
controls are designed to establish an organisation wide controls are drawn to assure
frame-work for CIS activities. It includes: that:
o Designing appropriate control policies & procedure; o Transactions are properly
authorised before being
processed by the computer.
o Properly segregating duties among various individuals.
o There are adequate checks

installed in the input form to
ii. System Software Controls: These controls are meant assure the correctness of data
to provide assurance that system software is acquired entered by the users.
or developed in an authorised manner. It includes:
o Incorrect transactions are

o Authorisation, approval, testing, implementation and rejected, corrected and if
documentation of new system software and system necessary, resubmitted on a
software modification; timely basis.
o Restriction of access to system software and ii. Control Over Processing &
documentation to authorised personnel. data files: These controls
ensure that:
iii. Application System Development & Maintenance

Controls: These control are designed to provide o Transactions are properly
assurance that systems are developed and maintained processed by the computer.
in an authorised and efficient manner and also to
establish control over:
o Transactions are not lost,

added duplicated or
improperly changed.
o testing, conversion, implementation and documentation
of new revised system;
o Processing errors are identified

and corrected on a timely
o changes made to application system; basis.
o access to system documentation; iii. Control Over Output: They

assure that:
o Acquisition of application system from third parties.

o Results of processing are
complete, accurate and
through ride media.
iv. Computer Operation Controls: These help in
controlling the operations of the computer system.
They assure that:
o Outputs so generated, satisfy
the requirement of the user.
o The systems are used for authorised purposes only.
o Access to output is restricted

to authorised personnel.
o Access to computer operation is restricted to authorised
personnel.
o Only authorised programs are to be used.
o Processing errors are detected and corrected on timely

basis.
v. Data Entry & Program Controls: These assures that:
o Access to data and program is restricted to authorised

personnel.
o An authorisation structure is established over transaction

being entered into the system.
AUDIT APPROACH IN CIS ENVIRONMENT

There have been drastic changes in audit approaches and methodologies as a result of
emergence of CIS environment. The selection of one of the approaches depends upon the
knowledge base expertise of Auditors. There are mainly two approaches for auditing in CIS
environment that are explained as follows:
A. Black-box Approach (Auditing around the computer): In this approach, the auditor is mainly
concerned about the Inputs fed-in by the client and the output generated by the system. The
auditor completely ignores the internal processing of the Information System.
For example, while testing payroll of a company, under black-box approach, the auditor may
first find out the total monthly hours worked by selected employees from their respective
time cards and then he may check the salary/wage rate from the rate card to find out the
salary/wage payable to each employee. On the basis of above, the auditor ascertains his own
output by comparing hours, rates, extensions, over-time & leaves. Finally, the auditor
compares his own results with the system generated results.
The biggest advantage of auditing around the computer is the ease and simplicity, since the
auditor does not require in-depth knowledge of system application program in order to
perform his duties.
On the contrary, a major disadvantage is that, under this approach, the auditor is completely
ignorant about the internal processes of the system. Moreover, in order to generate certain
complex reports, print-outs cannot be arranged to apply the audit procedures.
White-Box Approach (Auditing through the computer): Under this approach, the auditor is not
only concerned with the subject matter of the audit (i.e. inputs and outputs), but also with the
internal processing of the computer system. This means to include various auditing with the help of
Audit software and computer aided audit techniques (CAAT)
CAAT: COMPUTER AIDED/ASSISTED AUDIT TECHNIQUE
Under CIS environment, the auditing cannot be carried effectively using traditional /
conventional and manual techniques of auditing. The auditing through the computer requires
the use of various audit software packages and some computer assisted audit techniques.
AUDIT SOFTWARE
The use of CAAT allows the auditor to test the reliability and credibility of the clients’
information system, without being much dependent upon the clients’ software. Now-a-days,
there are a plenty of audit software options available with the auditor, with the help of which
he can perform his audit independently and effectively. This audit software may include
package programs, purpose-written programs, utility programs or system management
program. These programs are explained as follows:
I. Package Programs:

o These are generalised computer software packages.
o These packages come with a lot of generalised features and utilities, which can be used at many
clients’ site.
o Since these software packages are highly generalised and are available across the globe, so one
does not face any compatibility issues. Almost all the organisation maintains certain level of
compatibility with these programs.
o E.g. MS-Excel can be the most common example for such programs.
II. Purpose-written Programs:
o These programs are created to perform specific natured audit task.
o These packages are not available for sale in the open market. The auditor is required to get these
programs developed.
o The auditor may appoint some outside agency to develop the program on his behalf
(outsourcing) or he may himself hire the programmers and get it built in-house.
o While choosing the purpose-written program option, the auditor must take into consideration,
the cost related issues.
III. Utility Programs:
o These programs are used to perform common data processing functions such as sorting;
sampling; documenting; creating, emailing & printing files/reports, etc.
o Although, these are not specifically designed for the audit purposes but can be extremely useful
while performing the audit.
o E.g. Acrobat’s Adobe Reader; Microsoft’s Office also consist of certain utility programs such as
MS-Access, MS-Word, MS-PowerPoint, etc.
IV. System Management Software:
o These software/programs are also not specifically meant for audit purpose.
o These are productive tools, meant to enhance the performance of the Operating System.
o E.g.: Disk Defragment, Task Manager, Task Scheduler, Disk Clean-up, etc. are some of the
examples of system management software.
USES OF CAAT
CAAT may be used to perform following audit procedures:
1. Detailed and in-depth test of transactions and balances: The auditor can check the
transaction in-depth and in detail, since he can select a larger sample size. There is a lot of time
saving, while applying CAAT, thus he may apply more time to analyse a transaction.
2. Application of complex analytical review procedures: The can perform complex procedure
and calculations with the help of CIS. He may extract detailed and complex reports also to
support his procedure.
3. Application of statistical sampling techniques to extract the relevant data: While extract data
from the client’s information system, the auditor can take help of complex statistical and
scientific techniques in order to improve the quality and prudence of sample selected.
Application of statistical and scientific methods is almost impossible, without the help of
computer systems. E.g.: MS Excel is an application program that contains a number of statistical
and mathematical formulae and techniques.
4. Test of general EDP controls: The auditor may check various input controls; processing
controls; output controls; data storage, transmission and security controls. The auditor can
check the access rules and procedure.
5. Test of Application controls: The auditor can check the functioning of various applications
installed and running in the system. The auditor may check the authenticity of various
application programs.
6. Re-Performing calculations and processing: The auditor can also re-perform calculations
performed by the client’s accounting system.
7. Better reporting Methods: Under CIS environment there are a number of reporting techniques
are available with the auditor. The auditor can use of various graphical designs and multimedia
techniques in order to make his report effective, concrete and more catchy. E.g.: MS
PowerPoint is one of the software used to prepare presentations.
CONSIDERATIONS IN USE OF CAAT

While planning an audit with the help of CAAT, the auditor must take care of the following
factors:
1. IT knowledge and experience of the Audit Team: Both the auditor and the audit team should
have sufficient skills and experience to handle the audit under CAAT.
2. Availability of relevant Audit Software and suitable computer facilities: The auditor can use
the CAAT and maintain the independence only if he has sufficient infrastructure, in the form of
computer hardware and audit software, available with him. Otherwise the cooperation and
assistance of the client entity’s personnel will be required.
3. Impracticability of manual test: Now-a-days, many organisations are adopting eco-friendly
approaches while performing the business operations. Moreover, many computer information
system perform tasks where there is no hard copy evidence is generated. Hence making it
impractical for the auditor to perform the tests manually.
4. Effective and Efficiency: With the help of CAAT, it is possible to test large number of
transactions together with a better level of precision. This brings efficiency and effectiveness in
performing the audit assignment.
5. Time Constraint: The auditor is required to perform the assignment in the limited time span.
Whereas, a large amount of data is required to be stored (such as transaction details and
reports) for such short audit period. Thus the auditor is required to make arrangement for
retention and retrieval of data.
6. Detection of fraud and error: The CAAT allows the auditor to plan and execute the audit work
more effectively with the help of sophisticated audit software. But, under CIS environment,
frauds are intentional and generally deep-laid. Moreover, there are chances that some frauds
are highlighted, but there is no concrete evidence to prove the same. Thus it cannot be said
that the auditing through the computer will increase the probability of detection of fraud.
7. Use of CAAT in small organisations: In small business organisation, use of CAAT might not be a
cost-effective and viable alternative. This is because of two reasons, first the revenue per
assignment is not very huge, and second the client entity might not have the appropriate
technical infrastructure to run CAAT.
STEPS INVOLVED IN APPLICATION OF CAAT

Following steps are required to be undertaken by the auditor in effective application of CAAT:
1. set the objective of CAAT application;

2. determine the content and accessibility of the entity’s files;
3. determine the scope: identify the specific files or databases to be examined;
4. understand the relationship between the data tables where a database is to be examined;
5. define the specific tests or procedures and related transactions and balances affected;
6. define the output requirements;
7. arrange files & databases: arrange with the user and IT departments, if appropriate, for copies
of the relevant files or database tables to be made at the appropriate cut-off date and time;
8. audit team: identify the personnel who may participate in the design and application of CAAT;
9. cost effectiveness: refine the estimates of costs and benefits;
10. follow-up: ensure that the use of CAAT is properly controlled;
11. arrange the administrative activities, including the necessary skills and computer facilities;
12. reconcile data to be used for CAAT with the accounting and other records;
13. execute CAAT application;
14. evaluate the results;
15. document CAATs to be used including objectives, high level flowcharts and run instructions;
and
16. Assess the effect of changes to the programs/system on the use of CAAT.
TESTING CAAT
Before applying or completely relying CAAT, the auditor must first obtain reasonable assurance
of the integrity, reliability, usefulness, and security of CAAT through appropriate planning,
design, testing, processing and review of documentation. There are many testing methods;
some of them are listed below:
1. Test Data: The auditor enters the test data into the entity’s computer system and compares
the result with predetermined results.
2. Test Packs: It involves testing a set of data, chosen by the auditor from the entity’s system and
testing it separately from the normal processing procedure.
3. Integrated Test Facility: In this approach, auditor establishes a dummy unit, into which test
transactions are posted during the normal processing cycle of the entity. However, these
dummy entries are eliminated later on.
MEASURES TO EXERCISE CONTROL OVER CAAT APPLICATIONS

Since, most of the audit procedures performed using CAAT are highly automated and machine
driven. Moreover, many-a-times, a situation may occur, where the auditor also requires the
cooperation of client entity’s IT staff for extensive knowledge of computer installation. In such
circumstances, the chances of inappropriately influencing the CAAT results by the client’s staff.
Thus, while applying CAAT in audit procedure, due care and control must be exercised.
Following points are important to consider:
o The kind of audit procedure that needs to be performed by CAAT;
o Review the entity’s general controls that may affect the integrity of CAAT, for example, controls
over program changes and access to computer files. When such controls cannot be relied on to
ensure the integrity of CAAT, the auditor may consider processing CAAT application at another
suitable computer facility; and
o Ensure appropriate integration of the output by the auditor into the audit process, and later on
in drawing audit conclusions and reporting.
The success or failure of auditing with CAAT highly depends upon the degree of control
exercised on the overall application of CAAT. The control over the CAAT applications can be:
I. Control Over Software Application:

a. Participation in design and testing of CAAT: The success of CAAT significantly depends upon
the participation of the principal auditor in the designing and testing of CAAT.
b. Checking the coding: Wherever applicable, detailed checking the coding of the program to
ensure that it is in-line with the program specification.
c. Compatibility with client’s system: Asking the client entity’s IT staff to check the compatibility
of the audit software with the operating system used in the client’s information system.
d. Testing the software: Before running the audit software on the main system’s data files, the
software must be run on small test files in a different system.
e. Testing the test results: The results of the above test.
f. Addressing the security issues: The must establish appropriate security measures to safeguard
the integrity and confidentiality of client’s data.
g. Regular follow-up: Sufficient evidence must be obtained so as to ensure that the audit
software is functioning, as planned. And also ensure that there is proper vendor support.
II. Control Over Test Data:
a. Controlling the sequence in which the test data needs to be sent.
b. Initially, performing the test runs with small chunks of test data, before submitting the main
audit test data.
c. Predicting the results of the test data and comparing it with the actual test data output.
d. Confirming that the current version of the programs was used to process the test data.
e. Ensure that the client entity used the same version of software throughout the audit period, on
which the audit is being conducted.
f. Make sure that dummy entries are deleted, which were fed in the system, while performing
the audit.
The auditor should one thing in mind while

performing the audit that, “CAAT is one of the
‘solutions’ for Audit and no the ‘substitute’ to
Audit."

NFJPIA-
Region X and
CARAGA
Council
RFJPIA
Cup Level
2–
Auditing
TheoryELIMINATION ROUND
EASY ROUND
RFJPIA CUP LEVEL 2 – Auditing Theory (EASY QUESTION #1)
The need for assurance services arises because:a . T h e r e i s a c o n s o n a n c e o f i n t e r e s t s
o f t h e p r e p a r e r a n d t h e u s e r o f t h e financial statements.
b.There is a potential bias in providing information.
c.Economic transactions are less complex than they were a decade ago. d . M o s t
users today have access to the system that generates
t h e financial statements they use.e . N o n e o f t h e a b o v e .
Which of the following is explicitly included in the Auditor’s responsibility section of
the auditor's report?
a.
Reason for modification of opinion.
b.
“Philippine Financial Reporting Standards”.
c.
“Philippines Standards on Auditing”.
d.
Division of responsibility with another auditor.e . M a n a g e m e n t r e p r e s e n t a t i o n s .
The measure of variability of a statistical sample that serves as an estimateof the population
variability is the:
a.
Basic precision.
b.
Range.c . M e a s u r e s o f c e n t r a l t e n d e n c y .
d.
Standard deviation.
e.Interval.
If a control total were to be computed on each of the following data items, which
would best be identified as a hash total for a payroll CBIS application?a . N e t p a y
b.
Department numbers.
c . H o u r s w o r k e d d . T o t a l d e b i t s . e . T o t a l c r e d i t s .
When the auditor determines that detection risk regarding a
f i n a n c i a l statement assertion for a material account balance or class of transactions cannotbe
reduced to an acceptable level, the auditor should express:
a.Qualified or adverse opinion.
b.
Unqualified opinion with explanatory paragraph.
c.
Qualified or disclaimer of opinion.
d . U n q u a l i f i e d o p i n i o n . e.Adverse or disclaimer of opinion.
AVERAGE ROUND
RFJPIA CUP LEVEL 2 – Auditing Theory (AVERAGE QUESTION #1)
Which of the following is not explicitly referred to in the Code of Ethics as source of
technical standards?
a.Commission on Audit.
b.Auditing and Assurance Standards Council.c.Securities and Exchange
Commission.d . R e l e v a n t l e g i s l a t i o n . e . N o n e o f t h e a b o v e .
This occurs when a firm or a member of the assurance team, promotes or may be
perceived to promote an assurance client’s position or opinion to the pointthat objectivity may
or may be perceived to be compromised. Such may be the c a s e i f a f i r m o r a
m e m b e r o f t h e a s s u r a n c e t e a m w e r e t o s u b o r d i n a t e t h e i r judgment to
that of the client.
Answer: Advocacy threat.RFJPIA CUP LEVEL 2 – Auditing Theory (AVERAGE QUESTION #3)
An auditor who discovers that client employees have committed an illegal act that has
a material effect on the client's financial statements most likely wouldw i t h d r a w f r o m
t h e e n g a g e m e n t i f : a.The illegal act is violation of generally accepted
accounting principles.
b . T h e c l i e n t d o e s n o t t a k e t h e r e m e d i a l a c t i o n t h a t t h e a u d i t o r considers
necessary.
c.The illegal act was committed during a prior year that was not audited.d.The
auditor has already assessed control risk at the minimum level. e . T h e a u d i t o r
c a n n o t r e d u c e t h e m a t e r i a l e f f e c t o f t h e i l l e g a l a c t t o a n immaterial one.
A written representation from a client's management which, among other m a t t e r s ,
acknowledges responsibility for the fair presentation of
f i n a n c i a l statements should normally be signed by the:
a.Chief executive officer and the chief financial officer.
b.
Chief financial officer and the chairman of the BOD.
c.
Chairman of the audit committee of the BOD.
d.
Chief executive officer, the chairman of the BOD and the client's lawyer.
e.
Chief executive officer, chief financial officer and the chairman of the BOD.

CBIS controls are frequently classified as to general controls and applicationcontrols. Which of
the following is an example of an application control?a . P r o g r a m m e r s m a y
a c c e s s t h e c o m p u t e r o n l y f o r t e s t i n g a n d "debugging"
programs.b . A l l p r o g r a m c h a n g e s m u s t b e f u l l y d o c u m e n t e d a n d a p p r o v e d b y
t h e information systems manager and the user department authorizing thechange.c.A separate
data control group is responsible for distributing output, and also compares input and
output on a test basis.d.Use of passwords and identification codes.
e . I n p r o c e s s i n g s a l e s o r d e r s , t h e c o m p u t e r c o m p a r e s c u s t o m e r and product
numbers with internally stored lists.
DIFFICULT ROUND
RFJPIA CUP LEVEL 2 – Auditing Theory (DIFFICULT QUESTION #1)
In studying a client's internal controls, an auditor must be
a b l e t o distinguish between prevention controls and detection controls. Of the
followingdata processing controls, which is the best detection control?
a.
Policy requiring password security.b . B a c k u p a n d r e c o v e r y p r o c e d u r e .
c.
Access controls.
d.
Use of data encryption techniques.
e.Review of machine utilization logs.RFJPIA CUP LEVEL 2 – Auditing Theory
(DIFFICULT QUESTION #2)
When the auditor encounters sophisticated computer-based systems, he orshe may
need to modify the audit approach. Of the following conditions, which one is not a
valid reason for modifying the audit approach?a . M o r e a d v a n c e d c o m p u t e r s y s t e m s
p r o d u c e l e s s d o c u m e n t a t i o n , t h u s reducing the visibility of the audit trail.b . I n
complex computer-based systems, computer verification of data at t h e
point of input replaces the manual verification found in
l e s s sophisticated data processing systems.
c.
Integrated data processing has replaced the more traditional separationof duties that existed in
manual and batch processing systems.
d.Real-time processing of transactions has enabled the auditor toconcentrate less on the
completeness assertion.
e.None of the above.
In an application of mean per unit sampling, the following information has been
obtained:Reported book value P600,000Point estimate (estimated total value) 591,000Allowance
for sampling risk (precision) +- 22,000 T o l e r a b l e
e r r o r + - 4 5 , 0 0 0
The appropriate conclusion would be that the reported book value is:
a.Acceptable only if the risk of incorrect rejection is at least twice the riskof incorrect
acceptance.
b.Acceptable only if the risk of incorrect acceptance is at least twice the risk of
incorrect rejection.
c.Acceptable only if the risk of overreliance is at least twice the risk of underreliance.
d.Acceptable.
e.Not acceptable.
Based on RA 9298, how many years can a partner who survived the death orwithdrawal of
other partner/s continue to practice under the partnership name after becoming a sole
practitioner?
Answer: 2 years.RFJPIA CUP LEVEL 2 – Auditing Theory (DIFFICULT QUESTION #5)
The following procedures may be performed by CPAs in an engagement:1.Consideration of
internal control2 . O b s e r v a t i o n 3 . I n q u i r y a n d
a n a l y s i s 4 . I n s p e c t i o n 5 . C o n f i r m a t i o n 6.Obtaining management
representation letterW h i c h o f t h e f o r e g o i n g a r e n o r m a l l y
p e r f o r m e d i n a n a g r e e d - u p o n procedures engagement?
Answer: 2, 3, 4 and 5 only.
CLINCHER QUESTIONS
RFJPIA CUP LEVEL 2 – Auditing Theory (CLINCHER QUESTION #1)
Which of the following is not a distinguishing feature of risk-based auditing?a.Identifying
areas posing the highest risk of financial statement errors. b . A n a l y s i s o f i n t e r n a l
control.
c.Collecting and evaluating evidence.
d.Concentrating audit resources in those areas presenting the highest risk of financial
statement errors.e . N o n e o f t h e a b o v e .
In conducting a substantive test of an account balance, an
a u d i t o r hypothesizes that no material error exists. The risk that sample
r e s u l t s w i l l support the hypothesis when a material error actually does exist is the risk
of:a . I n c o r r e c t r e j e c t i o n .
b.
Alpha error.
c.
Incorrect acceptance.
d.Type I error.
e.
Risk of overreliance.

In a distributed data base (DDB) environment, control tests for access controladministration can
be designed which focus on:
a.
Reconciliation of batch control totals.b . H a s h t o t a l s .
c.Examination of logged activity.
d.
Prohibition of random access.
e.
Analysis of system generated core dumps.
Which of the following might be detected by an auditor's review
o f t h e client's sales cut-off?a.Excessive goods returned for credit. b . U n r e c o r d e d
s a l e s d i s c o u n t s c.Lapping of year end accounts receivable
d.Inflated sales for the year.
An auditor confirms a representative number of open accounts receivable asof December 31,
2010, and investigates respondents' exceptions and comments. B y t h i s
procedure, the auditor would be most likely to learn of which of
t h e following?
a . O n e o f t h e c a s h i e r s h a s b e e n
c o v e r i n g a p e r s o n a l embezzlement by lapping.
b.
One of the sales clerks has not been preparing charge slips for credit sales to family
and friends
c.
One of the CBIS control clerks has been removing all sales
i n v o i c e s applicable to his account from the data file.
d.
The credit manager has misappropriated remittances from customers whose accounts
have been written off.e.The internal control is effective.
FINAL ROUND
EASY QUESTIONS
RFJPIA CUP LEVEL 2 – Auditing Theory (AKIC)ACE QUESTION
This exists when other information contradicts information contained in the financial
statements.
a.Material inconsistency.
b.Material difference.c . M a t e r i a l d e v i a t i o n . d . M a t e r i a l e r r o r . e . N o n e o f
the choices.
RFJPIA CUP LEVEL 2 – Auditing Theory (MTIM) JOKER QUESTION
The term "present fairly, in all material respect", means

a.The financial statements conform to GAAP.b.The financial statements may still be
materially misstated because theauditors may not have discovered the errors.c.The
financial statements are accurately prepared.
d.The auditor considers only those matters that are significant to the users of the
financial statements.
e.Immaterial amounts are omitted from the financial statements.
RFJPIA CUP LEVEL 2 – Auditing Theory (SIC)
This occurs when by virtue of a close relationship with an assurance client,its
directors, officers or employees, a firm or a member of the assurance team becomes
too sympathetic to the client’s interests.
Answer: Familiarity threat.RFJPIA CUP LEVEL 2 – Auditing Theory (PCC)
Which of the following acts is/are considered fraud?1.Alteration of records or
documents.2 . M i s i n t e r p r e t a t i o n o f f a c t s . 3 . M i s a p p r o p r i a t i o n o f
a s s e t s . 4.Recording of transactions without substance. 5 . C l e r i c a l m i s t a k e s .
Answer: 1, 3 and 4 only.RFJPIA CUP LEVEL 2 – Auditing Theory (MVC)
This refers to the communication to the public of information as
t o t h e service or skills provided by professional accountants in public practice with a viewof
procuring professional business.
Answer: Advertising.RFJPIA CUP LEVEL 2 – Auditing Theory (CMU)
Which of the following factors is/are essential to an effective internal auditingorganization?
1.
Operating responsibility.2 . O r g a n i z a t i o n a l s t a t u s 3 . O b j e c t i v i t y
Answer: 2 and 3 only.RFJPIA CUP LEVEL 2 – Auditing Theory (COC)
The auditor's report should be dated as of the date on which the:
a.Field work is completed.
b.
Report is delivered to the client.c.Report is submitted to the audit committee.
d.
Fiscal period under audit ends.
e.
Review of the working papers is complete.
AVERAGE QUESTIONS
RFJPIA CUP LEVEL 2 – Auditing Theory (JPI)ACE QUESTION
Which of the following auditing procedures would the auditor not apply to a cutoff
bank statement?a.Trace year end outstanding checks and deposits in transit to the
cutoff bank statement.
b.Reconcile the bank account as of the end of the cutoff period.
c.Compare dates, payees and endorsements on returned checks with the cash
disbursements record.d.Determine that the year end deposit in transit was credited by
the bankon the first working day of the following accounting period.e . N o n e o f t h e
above.
RFJPIA CUP LEVEL 2 – Auditing Theory (BSU) JOKER QUESTION
The most effective means for the auditor to determine whether a recorded intangible
asset possesses the characteristics of an asset is to:
a.
Vouch the purchase by reference to underlying documentation.b.Inquire as to the status of
patent applications.c . R e g i s t e r t h e p a t e n t a t t h e P a t e n t O f f i c e
t o t e s t i t s v a l i d i t y a n d acceptability.
d.Evaluate the future revenue-producing capacity
o f t h e intangible asset.
e.
Analyze research and development expenditures to determine that onlyt h o s e e x p e n d i t u r e s
p o s s e s s i n g f u t u r e e c o n o m i c b e n e f i t h a v e b e e n capitalized.
RFJPIA CUP LEVEL 2 – Auditing Theory (SMC)
The probability of a significant idle capacity loss increases under which of thefollowing
conditions?
a.
S a l e s a n d p r o d u c t i o n h a v e i n c r e a s e d s i g n i f i c a n t l y d u r i n g t h e p e r i o d under
audit.
b.Sales and production have declined materially during
t h e period under audit.
c.
Sales have declined somewhat, but production has remained constant in anticipation of
a sales recovery in the following accounting period.d . T h e c l i e n t h a s i n c r e a s e d i t s
o v e r h e a d a b s o r p t i o n r a t e e f f e c t i v e a t t h e beginning of the following accounting
period.e.Sales and production remained constant during the period under audit.
RFJPIA CUP LEVEL 2 – Auditing Theory (FSUU)
An audit report contains the following paragraph:
" B e c a u s e o f t h e inadequacies in the company's accounting records during the year
ended June 30,2 0 0 3 , i t w a s n o t p r a c t i c a b l e t o e x t e n d o u r a u d i t i n g p r o c e d u r e s
to the extentn e c e s s a r y t o e n a b l e u s t o o b t a i n c e r t a i n e v i d e n t i a l
m a t t e r a s i t r e l a t e s t o classification of certain items in the consolidated statements
of operations." Thisparagraph most likely describesa.A material departure from GAAP
requiring a qualified audit opinion.b.An uncertainty that should not lead to a
qualified opinion.c.A matter that requires an adverse opinion.
d.A matter that the auditor wishes to emphasize and that does not lead to a qualified
audit opinion.
e . A m a t e r i a l s c o p e r e s t r i c t i o n r e q u i r i n g a q u a l i f i c a t i o n o f t h e audit
opinion.RFJPIA CUP LEVEL 2 – Auditing Theory (XU)
Under which of the following circumstances would a disclaimer of opinion notbe appropriate?
a . T h e f i n a n c i a l s t a t e m e n t s f a i l t o c o n t a i n a d e q u a t e d i s c l o s u r e concerning
related party transactions.
b.
The client refuses to permit its attorney to furnish
i n f o r m a t i o n requested in a letter of audit inquiry.
c.
The auditor is engaged after fiscal year-end and is unable to observe p h y s i c a l
i n v e n t o r i e s o r a p p l y a l t e r n a t i v e p r o c e d u r e s t o v e r i f y t h e i r balances.
d.
The auditor is unable to determine the amounts associated with illegalacts committed by the
client's management.
e.
Under no circumstances.
RFJPIA CUP LEVEL 2 – Auditing Theory (IIT)
Morgan, CPA, is the principal auditor for a multi-national corporation. AnotherC P A h a s
examined and reported on the financial statements of a
s i g n i f i c a n t subsidiary of the corporation. Morgan is satisfied with the
independence andprofessional reputation of the other auditor, as well as
the quality of the otherauditor's examination. With respect to Morgan's
r e p o r t o n t h e c o n s o l i d a t e d financial statements, taken as a whole, Morgan
a.
Must not refer to the examination of the other auditor.
b.
Must refer to the examination of the other auditor.
c.May refer to the examination of the other auditor.
d.
May refer to the examination of the other auditor, in which case Morganm u s t i n c l u d e i n
t h e a u d i t o r ' s r e p o r t o n t h e c o n s o l i d a t e d f i n a n c i a l statements a qualified
opinion with respect to the examination of the other auditor.
e.
May refer only if the other auditor consents.
RFJPIA CUP LEVEL 2 – Auditing Theory (SFXC)
In which of the following reports should a CPA not express negative or limitedassurance?
a.A standard compilation report on financial statements of a non- public entity.
b.A standard review report on financial statements of a non-public entity. c . A
s t a n d a r d r e v i e w r e p o r t o n i n t e r i m f i n a n c i a l s t a t e m e n t s o f a p u b l i c entity.d . A
standard comfort letter on financial information included in
a registration statement of a public entity.e . A l l o f t h e a b o v e .
RJPIA CUP LEVEL 2 – Auditing Theory (LDCU)

Comfort letters are ordinarily signed by the
a.
Client.
b.Independent auditor.
c . I n t e r n a l a u d i t o r . d.Independent auditor and client.
e.
Independent auditor and internal auditor.
DIFFICULT QUESTIONS
RFJPIA CUP LEVEL 2 – Auditing Theory (LC)ACE QUESTION
The engagement team for the 2010 audit of the financial statements
o f Sarimanok Company is composed of the following:P a r t n e r : J o s e
M a r q u e z S e n i o r a s s o c i a t e : A s s e r i n a
T a m a y o M a n a g e r : S h i r l e y C o r d o v a A u d i t
a s s o c i a t e s : C r i s t y E s p e n i l l a , Jona LeeFollowing Philippine
Standards on Auditing, who among the above would beconsidered as the auditor?
a.Jose Marquez only.
b.Jose Marquez and Asserina Tamayo only.c.Jose Marquez, Asserina Tamayo and
all the audit associates only.d.Jose Marquez, Asserina Tamayo and Shirley Cordova
only.e . A l l o f t h e m .
RFJPIA CUP LEVEL 2 – Auditing Theory (NFJPIA) JOKER QUESTION
The following statements relate to CPA examination ratings. Which of the following
is incorrect?a.To pass the examination, candidates should obtain a general
weightedaverage of 75% and above, with no rating in any subject less than
65%.b . C a n d i d a t e s w h o o b t a i n a r a t i n g o f 7 5 % a n d a b o v e i n a t
l e a s t f o u r subjects shall receive a conditional credit for the subjects passed.
c . C a n d i d a t e s w h o f a i l e d i n f o u r c o m p l e t e e x a m i n a t i o n s s h a l l n o longer be
allowed to take the examinations the fifth time.
d.Conditioned candidates shall take an examination in the
r e m a i n i n g subjects within two years from the preceding examination.e . N o n e o f t h e
above.
RFJPIA CUP LEVEL 2 – Auditing Theory (CTKC)
Which statement is incorrect regarding the nature of tests of controls?a . A s t h e p l a n n e d
l e v e l o f a s s u r a n c e i n c r e a s e s , t h e a u d i t o r s e e k s m o r e reliable audit
evidence.b.Those controls subject to testing by performing inquiry combined
withinspection or reperformance ordinarily provide more assurance thanthose
controls for which the audit evidence consists solely of inquiry and observation.
c.The absence of misstatements detected by a
s u b s t a n t i v e procedure provides audit evidence that controls related to theassertion being
tested are effective.

d.A material misstatement detected by the auditor’s procedures that was not identified
by the entity ordinarily is indicative of the existence of amaterial weakness in internal
control.e . N o n e o f t h e a b o v e .
RFJPIA CUP LEVEL 2 – Auditing Theory (SPUS)
The assessment of the risks of material misstatement at the
financials t a t e m e n t l e v e l i s a f f e c t e d b y t h e a u d i t o r ’ s
u n d e r s t a n d i n g o f t h e c o n t r o l environment. Weaknesses in the control
e n v i r o n m e n t o r d i n a r i l y w i l l l e a d t h e auditor to:a . H a v e m o r e c o n f i d e n c e i n
i n t e r n a l c o n t r o l a n d t h e r e l i a b i l i t y o f a u d i t evidence generated internally
within the entity.b.Conduct some audit procedures at an interim date rather than at
periodend.c.Decrease the number of locations to be included in the audit
scope.d . W i t h d r a w f r o m t h e e n g a g e m e n t .
e.Modify the nature of audit procedures to obtain
m o r e persuasive audit evidence.RFJPIA CUP LEVEL 2 – Auditing Theory (LSU)
Which of the following is least likely a procedure that would be performed bythe auditor near the
auditor’s report date?
a.Reading the minutes of the meetings of shareholders,
theboard of directors and audit executive committees
h e l d throughout the audit year.
b.Reading the entity’s latest available interim financial statements.c.Inquiring of the
client’s legal counsel concerning litigations and claims.d.Reviewing the procedures
that management has established to ensure that subsequent events are identified.e.All are
performed near the auditor’s report.
RFJPIA CUP LEVEL 2 – Auditing Theory (STC)
Which of the following statements is not true regarding the competence of audit
evidence?
a.Relevance is enhanced by an effective information system.
b.To be competent, evidence must be both valid and relevant.c.Validity is related to
the quality of the client’s information system.d.Relevance must always relate to
audit objectives.e . N o n e o f t h e a b o v e .
RFJPIA CUP LEVEL 2 – Auditing Theory (FCC)
Which one of the following, if present, would support a finding of constructivefraud on the part
of a CPA?
a.
Privity of contract.b . I n t e n t t o d e c e i v e .
c.Reckless disregard.
d.Ordinary negligence.

RFJPIA CUP LEVEL 2 – Auditing Theory (SEC)
An auditor compares 2010 revenues and expenses with those of the prior year
investigating all changes exceeding 10%. By this procedure the auditor wouldbe most likely to
learn that:a.An increase in property tax rates has not been recognized in the
client'saccrual.
b.
The 2010 provision for uncollectible accounts is inadequate, because of worsening economic
conditions.
c.
Fourth quarter payroll taxes were not paid.
d . T h e c l i e n t c h a n g e d i t s c a p i t a l i z a t i o n p o l i c y f o r s m a l l t o o l s i n 2010.
e.All of the above.
RFJPIA CUP LEVEL 2 – Auditing Theory (MSUM)
Experience has shown that certain conditions in an
o r g a n i z a t i o n a r e symptoms of possible management fraud. Which of the following
conditions wouldnot be considered an indicator of possible fraud?
a.
Managers regularly assuming subordinates' duties.
b.
Managers dealing in matters outside their profit center's scope.
c.
Managers not complying with corporate directives and procedures.
d.Managers subject to formal performance reviews on a regular basis.
RFJPIA CUP LEVEL 2 – Auditing Theory (MU)
Given the increasing use of microcomputers as a means for accessing data bases,
along with on-line real-time processing, companies face a serious challengerelating to data
security. Which of the following is not an appropriate means for meeting this
challenge?a.Institute a policy of strict identification and password controls housed
inthe computer software that permit only specified individuals to access the computer
files and perform a given function.b.Limit terminals to perform only certain
transactions.c.Program software to produce a log of transactions showing date,
time,type of transaction, and operator.
d.Prohibit the networking of microcomputers and do not permit users to access
centralized data bases.
e.All are appropriate measures for maintaining data security.
d.A matter that the auditor wishes to emphasize and that does not lead to a qualified
audit opinion.
e . A m a t e r i a l s c o p e r e s t r i c t i o n r e q u i r i n g a q u a l i f i c a t i o n o f t h e audit
opinion.RFJPIA CUP LEVEL 2 – Auditing Theory (XU)
Under which of the following circumstances would a disclaimer of opinion notbe appropriate?
a . T h e f i n a n c i a l s t a t e m e n t s f a i l t o c o n t a i n a d e q u a t e d i s c l o s u r e concerning
related party transactions.
b.
The client refuses to permit its attorney to furnish
i n f o r m a t i o n requested in a letter of audit inquiry.
c.
The auditor is engaged after fiscal year-end and is unable to observe p h y s i c a l
i n v e n t o r i e s o r a p p l y a l t e r n a t i v e p r o c e d u r e s t o v e r i f y t h e i r balances.
d.
The auditor is unable to determine the amounts associated with illegalacts committed by the
client's management.
e.
Under no circumstances.
RFJPIA CUP LEVEL 2 – Auditing Theory (IIT)
Morgan, CPA, is the principal auditor for a multi-national corporation. AnotherC P A h a s
examined and reported on the financial statements of a
s i g n i f i c a n t subsidiary of the corporation. Morgan is satisfied with the
independence andprofessional reputation of the other auditor, as well as
the quality of the otherauditor's examination. With respect to Morgan's
r e p o r t o n t h e c o n s o l i d a t e d financial statements, taken as a whole, Morgan
a.
Must not refer to the examination of the other auditor.
b.
Must refer to the examination of the other auditor.
c.May refer to the examination of the other auditor.
d.
May refer to the examination of the other auditor, in which case Morganm u s t i n c l u d e i n
t h e a u d i t o r ' s r e p o r t o n t h e c o n s o l i d a t e d f i n a n c i a l statements a qualified
opinion with respect to the examination of the other auditor.
e.
May refer only if the other auditor consents.
RFJPIA CUP LEVEL 2 – Auditing Theory (SFXC)
In which of the following reports should a CPA not express negative or limitedassurance?
a.A standard compilation report on financial statements of a non- public entity.
b.A standard review report on financial statements of a non-public entity. c . A
s t a n d a r d r e v i e w r e p o r t o n i n t e r i m f i n a n c i a l s t a t e m e n t s o f a p u b l i c entity.d . A
standard comfort letter on financial information included in
a registration statement of a public entity.e . A l l o f t h e a b o v e .
RJPIA CUP LEVEL 2 – Auditing Theory (LDCU)

Comfort letters are ordinarily signed by the
a.
Client.
b.Independent auditor.
c . I n t e r n a l a u d i t o r . d.Independent auditor and client.
e.
Independent auditor and internal auditor.
DIFFICULT QUESTIONS
RFJPIA CUP LEVEL 2 – Auditing Theory (LC)ACE QUESTION
The engagement team for the 2010 audit of the financial statements
o f Sarimanok Company is composed of the following:P a r t n e r : J o s e
M a r q u e z S e n i o r a s s o c i a t e : A s s e r i n a
T a m a y o M a n a g e r : S h i r l e y C o r d o v a A u d i t
a s s o c i a t e s : C r i s t y E s p e n i l l a , Jona LeeFollowing Philippine
Standards on Auditing, who among the above would beconsidered as the auditor?
a.Jose Marquez only.
b.Jose Marquez and Asserina Tamayo only.c.Jose Marquez, Asserina Tamayo and
all the audit associates only.d.Jose Marquez, Asserina Tamayo and Shirley Cordova
only.e . A l l o f t h e m .
RFJPIA CUP LEVEL 2 – Auditing Theory (NFJPIA) JOKER QUESTION
The following statements relate to CPA examination ratings. Which of the following
is incorrect?a.To pass the examination, candidates should obtain a general
weightedaverage of 75% and above, with no rating in any subject less than
65%.b . C a n d i d a t e s w h o o b t a i n a r a t i n g o f 7 5 % a n d a b o v e i n a t
l e a s t f o u r subjects shall receive a conditional credit for the subjects passed.
c . C a n d i d a t e s w h o f a i l e d i n f o u r c o m p l e t e e x a m i n a t i o n s s h a l l n o longer be
allowed to take the examinations the fifth time.
d.Conditioned candidates shall take an examination in the
r e m a i n i n g subjects within two years from the preceding examination.e . N o n e o f t h e
above.
RFJPIA CUP LEVEL 2 – Auditing Theory (CTKC)
Which statement is incorrect regarding the nature of tests of controls?a . A s t h e p l a n n e d
l e v e l o f a s s u r a n c e i n c r e a s e s , t h e a u d i t o r s e e k s m o r e reliable audit
evidence.b.Those controls subject to testing by performing inquiry combined
withinspection or reperformance ordinarily provide more assurance thanthose
controls for which the audit evidence consists solely of inquiry and observation.
c.The absence of misstatements detected by a
s u b s t a n t i v e procedure provides audit evidence that controls related to theassertion being
tested are effective.

d.A material misstatement detected by the auditor’s procedures that was not identified
by the entity ordinarily is indicative of the existence of amaterial weakness in internal
control.e . N o n e o f t h e a b o v e .
RFJPIA CUP LEVEL 2 – Auditing Theory (SPUS)
The assessment of the risks of material misstatement at the
financials t a t e m e n t l e v e l i s a f f e c t e d b y t h e a u d i t o r ’ s
u n d e r s t a n d i n g o f t h e c o n t r o l environment. Weaknesses in the control
e n v i r o n m e n t o r d i n a r i l y w i l l l e a d t h e auditor to:a . H a v e m o r e c o n f i d e n c e i n
i n t e r n a l c o n t r o l a n d t h e r e l i a b i l i t y o f a u d i t evidence generated internally
within the entity.b.Conduct some audit procedures at an interim date rather than at
periodend.c.Decrease the number of locations to be included in the audit
scope.d . W i t h d r a w f r o m t h e e n g a g e m e n t .
e.Modify the nature of audit procedures to obtain
m o r e persuasive audit evidence.RFJPIA CUP LEVEL 2 – Auditing Theory (LSU)
Which of the following is least likely a procedure that would be performed bythe auditor near the
auditor’s report date?
a.Reading the minutes of the meetings of shareholders,
theboard of directors and audit executive committees
h e l d throughout the audit year.
b.Reading the entity’s latest available interim financial statements.c.Inquiring of the
client’s legal counsel concerning litigations and claims.d.Reviewing the procedures
that management has established to ensure that subsequent events are identified.e.All are
performed near the auditor’s report.
RFJPIA CUP LEVEL 2 – Auditing Theory (STC)
Which of the following statements is not true regarding the competence of audit
evidence?
a.Relevance is enhanced by an effective information system.
b.To be competent, evidence must be both valid and relevant.c.Validity is related to
the quality of the client’s information system.d.Relevance must always relate to
audit objectives.e . N o n e o f t h e a b o v e .
RFJPIA CUP LEVEL 2 – Auditing Theory (FCC)
Which one of the following, if present, would support a finding of constructivefraud on the part
of a CPA?
a.
Privity of contract.b . I n t e n t t o d e c e i v e .
c.Reckless disregard.
d.Ordinary negligence.

RFJPIA CUP LEVEL 2 – Auditing Theory (SEC)
An auditor compares 2010 revenues and expenses with those of the prior year
investigating all changes exceeding 10%. By this procedure the auditor wouldbe most likely to
learn that:a.An increase in property tax rates has not been recognized in the
client'saccrual.
b.
The 2010 provision for uncollectible accounts is inadequate, because of worsening economic
conditions.
c.
Fourth quarter payroll taxes were not paid.
d . T h e c l i e n t c h a n g e d i t s c a p i t a l i z a t i o n p o l i c y f o r s m a l l t o o l s i n 2010.
e.All of the above.
RFJPIA CUP LEVEL 2 – Auditing Theory (MSUM)
Experience has shown that certain conditions in an
o r g a n i z a t i o n a r e symptoms of possible management fraud. Which of the following
conditions wouldnot be considered an indicator of possible fraud?
a.
Managers regularly assuming subordinates' duties.
b.
Managers dealing in matters outside their profit center's scope.
c.
Managers not complying with corporate directives and procedures.
d.Managers subject to formal performance reviews on a regular basis.
RFJPIA CUP LEVEL 2 – Auditing Theory (MU)
Given the increasing use of microcomputers as a means for accessing data bases,
along with on-line real-time processing, companies face a serious challengerelating to data
security. Which of the following is not an appropriate means for meeting this
challenge?a.Institute a policy of strict identification and password controls housed
inthe computer software that permit only specified individuals to access the computer
files and perform a given function.b.Limit terminals to perform only certain
transactions.c.Program software to produce a log of transactions showing date,
time,type of transaction, and operator.
d.Prohibit the networking of microcomputers and do not permit users to access
centralized data bases.
e.All are appropriate measures for maintaining data security

CIS

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CIS

Uploaded by

Copyright:

Available Formats

http://www.pinoycpareview.

CEBU CPAR CENTER

PAPS 1001 – CIS Environments – Stand-Alone Personal Computers

Understanding the CIS environment

The effect of computerization in general and on internal controls

Types of general & application controls used in CIS processes

The audit process in a CIS environment

UNDERSTANDING THE CIS ENVIRONMENT 1

This first part outlines the following:

 The CIS Environment

CIS audit digram

 Identify the computerized environment.

Analyzing the CIS Environment

Risk Assessment of the CIS Environment

 Identify the business processes, criticality.

Risk Management Overview

Extracted from CISM Review Course, 2005

Faced with risk, organizations have four strategic choices:

 Terminate the activity giving rise to risk

Risk Analysis Framework

Risk Management Process – main elements

– Establish context

– Identify risks

– Analyze risks

– Evaluate risks

– Treat risks

– Monitor and Review

– Communicate and consult

Understanding the CIS Environment

CIS, Financial Management Systems or Integrated Accounting Systems

 What are the CIS application systems available.

Characteristics of computerized accounting system

Financial Management Systems

Monitoring, Controlling, Reporting

& Decision Making

Sales, Purchasing, Inventory

Understanding the CIS Environment

 Recording of transactions and records

CIS Processing – results of operations or administrative accounting in accordance with

 Lack of physical documentation, source records for transactions (audit trail)

Understanding the CIS environment

The effect of computerization in general and on internal controls

Types of general & application controls used in CIS processes

The audit process in a CIS environment

To know the techniques of auditing using CAATs

THE EFFECT OF CIS IN GENERAL AND ITS IMPACT ON INTERNAL CONTROL 2

Understanding the CIS Environment

This first part outlines the following:

• Effectiveness and efficiency of operations.

• Reliability of financial reporting.

• Compliance with applicable laws and regulations.”

 Laws and regulations are complied with;

COSO Internal Control Integrated Network

Internal Control Components

 An organisation comprising a clear definition of responsibilities, with suitable resources

 The in-house dissemination of relevant and reliable information, the awareness of

Risk management procedures

 Executive Management or the Management Board, supported by a risk management

Nature of Control vs Impact

COSO Monitoring Process

Controls in CIS Environment

Impact on Internal Control environment

An example of impact of Internal Control in CIS would be the application of IT Controls.

Assessing IT Controls GTAG1