INFOTECH3: AUDITING IN CIS ENVIRONMENT

Introduction: Auditing and CIS

Auditing
- Systematic process of objectively obtaining and evaluating evidence regarding
assertions about economic actions and events to ascertain the degree of
correspondence between those assertions and established criteria and communicating
the results thereof.
● Systematic process
➢ Structured as a dynamic activity in a logical manner
● Obtaining and evaluating evidence
➢ Auditor is concerned about assertions relating to the reliability of the
system of internal control and the content of the files or outputs produced
by computer processing
➢ Auditor performs both compliance testing and substantive testing
➔ Compliance testing - Evaluation of internal control
➔ Substantive testing - Basis on rendering opinion about FS
● Ascertain the degree of correspondence between those assertions and
established criteria
➢ It requires judgment on the auditor’s part as to what constitutes a
non-compliance
● Communicating the results
➢ To the client and other interested parties
➢ Preparation of the audit report
Who shall perform the audit?
- A person/s having adequate technical training and proficiency as an auditor

Impacts of Computers on the accounting and auditing process

1. Internal storage
- With the representation of information in electronic form inside the computer, the
auditor is no longer able to observe the processing of data to determining if the
proper procedures are being used
2. Programs can be changed without the auditor’s knowledge
- Such change can occur through a console intervention, or with codes that can
modify themselves while the program is running
3. Elimination of audit trail
- Partial elimination or disappearance of those documents, records, journals,
ledgers and other documents that enable the auditor to trace a transaction from
source document to summarized totals in an accounting report, or vice versa
4. Multiprogramming or multiprocessing
 - With the ability to computer systems to process several applications
simultaneously, files currently being reviewed can be modified during data
processing by another program
5. Remote processing (teleprocessing)
- A major threat is the potential loss of assets from unauthorized access to
programs and files
- Data might be lost during transmission
- Phishing
➔ An attempt to acquire sensitive information such as usernames,
passwords, bank account and credit card details for malicious reasons, by
masquerading as a trustworthy entity in an electronic communication
6. Speed, Online / Real time processing
- Since account balances are updated immediately upon entering the system, it
could mean that before the auditor had finished reading and adding the balances,
some of the balances may have already changed
7. Multiple locations
- Multiprocessing, online / real time system is compounded by processing in
several locations:
➔ Several floors and offices in a building
➔ Several buildings in a compound
➔ Several geographical locations
8. Rapid changes: technology, business needs

Auditing Approaches
1. Auditing around the computer (Black-box Approach)
- Inputs / outputs outside the computer generated by the system
- Traditional method
2. Auditing with the computer
- Using the computer / software
3. Auditing through the computer (White-box Approach)
- Enters / submits data to a computer for processing and then analyze the result if
processed correctly
- Concerns with internal processing of the computer system

Auditing Standards and CIS Auditing Concepts

Generally Accepted Auditing Standards (GAAS)

General Standards (TIP)

1. The auditor must have adequate TECHNICAL TRAINING and PROFICIENCY to perform
the audit
 2. The auditor must maintain INDEPENDENCE in mental attitude in all matters relating to
the audit
3. The auditor must exercise due PROFESSIONAL CARE in the performance of the audit
and the preparation of the auditor’s report

Standards of Field Work (PIE)

1. The auditor must obtain adequately PLAN the work and must PROPERLY SUPERVISE
any assistants
2. The auditor must obtain sufficient understanding of the entity and its environment,
including its INTERNAL CONTROL, to assess the risk of material misstatement of the
financial statements whether due to error or fraud, and to design the nature, timing, and
extent of further audit procedures
3. The auditor must obtain sufficient appropriate audit EVIDENCE by performing audit
procedures to afford a reasonable basis for an opinion regarding the financial statements
under audit

Standards of Reporting (GIDO)

1. The auditor must state in the auditor’s report whether the financial statements are
presented in accordance with GENERALLY ACCEPTED ACCOUNTING PRINCIPLES
(GAAP)
2. The auditor must IDENTIFY in the auditor’s report those circumstances in which such
PRINCIPLES HAVE NOT BEEN CONSISTENTLY OBSERVED in the current period in
relation to the preceding period
3. If the auditor determined that informative DISCLOSURES in the financial statements are
NOT REASONABLY ADEQUATE, the auditor must so state in the auditor’s report
4. The auditor’s report must either express an OPINION REGARDING THE FINANCIAL
STATEMENTS, taken as a whole, or state that an opinion cannot be expressed. When
the auditor cannot express an overall opinion, the auditor should state the reasons in the
auditor’s report. In all cases where an auditor’s name is associated with financial
statements, the auditor should clearly indicate the character of the auditor’s work, if any,
and the degree of responsibility the auditor is taking, in the auditor’s report.

Compliance Testing
- Standards of Field Work 2
- Internal Control assessment

Internal Control
- Comprises the plan of the organization and all of the methods and procedures adopted
by a business to: (objectives of internal control)
➔ Safeguard its assets
➔ Check the accuracy and reliability of its accounting data
➔ Promote operational efficiency
➔ Encourage adherence to prescribed managerial policies
- Internal control systems
 ➢ Administrative controls
➔ The plan of the organization and the methods and procedures to promote
operational efficiency and encourage adherence to prescribed
managerial policies
➢ Accounting controls
➔ The plan of the organization and the methods and procedures used to
safeguard assets and to check reliability of accounting data
➔ AIS Controls
❖ General Controls
❖ Application Controls

AIS Controls
1. General controls
- Controls over general environment in which the system is developed, maintained,
and operated
- Having pervasive effects
➔ If they are weak or absent, they negate the effects of the application
controls
a. Organizational controls
b. Sound personnel practices
c. Standard operating procedure
d. Systems development controls
e. Documentation controls
f. Hardware controls
g. System software controls
h. Systems security controls
2. Application controls
- Relate to the specific tasks performed by the computer
- Aim is to ensure validity, completeness, and accuracy of data
➔ Input controls
❖ Ensures that
➢ Input data are authorized by the appropriate official
➢ Data represent valid record of actual transaction
➢ Correctly classified for the purpose of accounting
❖ Sequence Check is an input control sample
➔ Processing controls
❖ Mechanical control
❖ Programmed control
➢ Done during the system development to ensure that only
data related to a particular transaction is processed
➔ Output controls
❖ Ensures that the output:
➢ Relates precisely to the original input
 ➢ Represents the outcome of a valid and tested programs of
instructions
➢ Reports are only accessed by the authorized personnel,
and checked by someone as to its reasonableness

Substantive Testing
1. Test of details of transactions and balances
➔ Complexities include automatic:
- Authorization of sales within certain limits
- Issuance of checks to vendors on due dates
2. Analytical review procedures
➔ Performed to detect unusual relationship among financial information
➔ Review may include comparison of this year’s amounts with last year’s; actual
results with budget or forecast; review of financial ratios
➔ Not significantly different from a manual or mechanical system

Dual-purpose Testing
- Both types of tests, compliance and substantive, are performed at the same time

Who performs the Computer Auditing Tasks?

- Demands as to expertise placed on the auditor:
“If clients uses electronic processing in its accounting system, whether the application is
simple or complex, the auditor needs to understand the entire system sufficiently to
enable him to identify and evaluate its essential accounting control features”

When to perform the procedures?

1. Auditing concurrently with processing
- Information is available to the auditor while program is running
2. Auditing after processing
- Audit procedure are performed after a computer program is finished

Where in the processing cycle the audit should be performed?

1. Auditing the phases of processing
- Refers to the study and evaluation of internal control
2. Auditing the results of processing
- Refers to the collection of evidential matter; emphasis is on the direct test of
account balances

Which parts of the system the audit should be performed?

1. Auditing computer programs
2. Auditing computer files
3. Auditing computer systems
AIS Internal Controls

EDP = Electronic Data Processing

ISD = Information Storage Device

General Controls
1. Organizational Controls (Plan of Organization)
- Relate to the segregation of duties in order to reduce error or fraud:
1. Segregation of EDP and User Functions
a. Error detection, correction, and resubmission
- Systems tests performed during systems development
ensures the elimination of errors
- When errors occur, generally, they are corrected and
resubmitted at source
b. Segregation of incompatible functions
i. Authorization
- As a general rule, IT should not be permitted to
authorize transactions; however, some
authorization functions are incorporated in the
computer program
- Examples: materials reordering system, customer
order processing
ii. Execution
- Steps in the transaction processing cycles and
changes to master files are to be performed by the
users; today, execution is done automatically
through instructions in the program
- Examples: systems-generated financial entries,
automatic reversing entries
iii. Accountability
- EDP should not have custody of non-EDP assets
- Access is normally indirect, e.g., the computer
program contains the instructions to release
inventory for shipment
2. Segregation of functions within EDP
a. Systems Development
- Systems analysis
- Application programming
- Systems programming
b. Operations
c. Database Administration
- Independent librarian function
3. Segregation of functions among users
- Compensatory controls
 - Generally manual controls, that re-performed to
compensate for the internal control weakness arising from
the non-segregation of duties:
➔ Review and approval of purchase by Purchasing
Department
➔ Review of exception lists from credit approval runs
- Review and tests of compliance for Organizational Controls
1. Review of organization charts
2. Review job descriptions of ISD/EDP and users pertaining to error
handling
3. Interview management and operating staff to determine the degree of
effectiveness of supervision
4. Prepare a system flowchart for each transaction processing cycle and
review the segregation of duties
5. Review pre-processing controls, such as prior approval of master file
changes
6. Review the audit program of internal auditors to determine the
completeness and adequacy of their review and test of internal control

2. Sound Personnel Practices

- Provide control over the quality of work by ensuring that personnel are competent
and honest
- Provide policies that encourages compliance
a. Hiring and evaluation of personnel
i. Hiring test
- Mostly behavioral and personality
ii. Background check
- Checking of character references, recommendations from
previous employers, NBI and police clearance
iii. Fidelity bonds
b. Personnel scheduling
- Irregularities maybe discovered during an employee’s absence
c. Rotation of duties
- Enable the employee to master other tasks, thus, effectiveness is
improved
- When a task is performed by another, opportunities for
improvement can be identified
d. Performance evaluation
- A tool to identify strengths and areas of improvement
- A good basis for rewards and remunerations
e. Training and development
- Enhances employee performance and potential for more
responsible roles
- Continuing Professional Education (CPE)
 f. Career path
- A tool to formalize target positions
- Helps identify training needs
- Encourages loyalty and dedication
g. Rewards and remuneration
- Induces employees to perform their best
h. Formalization of personnel practices
- Conveys the company’s sincerity to its commitments
i. Psychological control
- Employees tend to display positive behavior if it goes with a
reward or punishment as the case may be.

- Review and Test of Compliance for Sound Personnel Practices

1. Review hiring and evaluation procedures for example aptitude test and
background checks
2. Review performance and appraisal and its link to rewards and
remuneration employees should know what areas he should improve on
3. Review staff development
4. Review promotion policies and recent promotions to ensure that
movements post no threat to control. Control is better than trust
5. Review staff turnover statistics and frequency of staff hiring to ensure that
the aptitude of staff poses no undue risk control

3. Standard Operating Procedures

- Identify procedures that ensure high quality processing and limit the opportunity
for errors, and unauthorized use of files, programs and reports
a. Scheduling
- The operations of the computer should follow realistic schedules
to allow for assembly and preventive maintenance
- It is important to do preventive maintenance to prevent the
system crushing
b. Machine operations
- Include procedures for loading programs and storage devices
(how you run the machines)
➔ To avoid overlapping, there should be certain procedures
to follow including storage devices (make sure to save in
the correct storage device)
- Requirement that console error messages be responded to
uniformly
➔ Console error messages
◆ There is screen display that something is wrong
and must be responded
c. Machine performance
 - Identification and correction of equipment snags help reduce the
incidence of hardware-induced errors
- Standards are set for elapsed time, expected downtimes and other
conditions
- Periodic review of equipment maintenance and failure logs, and
comparison of actual equipment performance with standards
➔ If there are frequent lags, there may be hardware-induced
errors
➔ Equipment snags (how often the system lags)
➔ Elapsed time (how long can the system work)
d. Job-run procedures
- Job is the “program”
- These procedures generally outline the sequence of the programs
to ensure that the required processes are performed in the correct
order
➔ Follow the correct sequence of running the job
- Example: Variance Report Preparation
➔ Update physical standards
➔ Input volume of production
➔ Enter actual quantities consumed
➔ Calculate variances
e. Console log and personnel time record
- Console log is a record done by the system (for every access) and
displayed in computer screen
➔ Time in and out, and the actions performed in the system
- should be prepared by the operating system to record all operating
and application system activities, maintain an equipment utilization
record and identify operator and user initiated actions
- It provides an important control over unauthorized system use
f. Housekeeping
- Procedures relating to the use of supplies, storage of programs,
and handling of files are designed to reduce the risk of loss or
destruction of programs and data
- It ensures that sensitive output does not fall into unauthorized
hands
- Reduce the risk of loss or destruction of program or data
g. File control standards
- Standards for the handling files are necessary to minimize
opportunities for misuse, damage, or loss of files
- Standards include file names, retention dates, reconstruction
procedures and storage location
- The files are controlled by a librarian
h. Adequate supervision
 - Control and review of operating activities which include periodic
examination and comparison of console logs, job records and
personnel time records
- People often do their job best when someone is watching
i. Emergency and physical security procedures
- Plans and procedures to protect programs, files and equipment
from fire, theft, natural disasters, power failure, or failure of
miscommunications
- Emergency and physical security procedures should be written
and included in the systems and procedures manual
- It should be documented and it is important to make sure that
people will know what needs to be done during emergencies
➔ Fire drill is being done to see if the procedure is sufficient
- Review and tests of compliance for SOP
1. Review the operations section of the systems and procedures manual to
determine the adequacy and completeness of written standards
2. Observe computer operations to determine whether they follow SOPs for
equipment operations
3. Review supervisory comparisons of console logs with personnel time
records
4. Review comparisons of equipment failure logs and other performance
measures with equipment performance standards to ensure that
equipment performance is monitored appropriately
5. Observe housekeeping procedures

4. Systems Development Controls

- The best time to build-in the application controls is during the development of a
system
- It would be easier compared with doing the program revisions later in order to
incorporate the control
1. Systems development methodology
a. SDLC - System Development Life Cycle
- Planning, analysis, design, development and
implementation
- Building-in of required application control
- Users’ training and users’ procedures manual
b. Post implementation optimization
- Was there an evaluation that the new system meets the
business requirements?
c. Documentation
- Provides control over the prevention, detection and
correction of errors
2. Project management
 - The systems development methodology will be of little value if
development projects are not adequately managed
- Somebody must take charge
➔ Make sure that the system study is done within the desired
scope
➔ To see to it that all aspects or milestone are being
managed
3. Programming conventions and procedures
- Conventions
➔ Refer to the agreed standards, for example, in the use of
symbols, charts, texts, graphs or writing manuals
➔ Also pertain to the uniform procedures followed in order to
ensure the same accurate results every time a job is
performed
➔ Some of this are:
◆ Flowcharting conventions
- Agree on what symbols to be used
◆ Decision table conventions
- Actions to be taken in light of various
conditions
◆ Coding conventions
1. Computer code or program code
- The set of instruction forming a
computer program which is
executed by a computer
2. Data code
- A number, letter, character, or any
combination thereof used to
represent a data element or data
item
- Data coding conventions provide a
common understanding of the
meaning of the codes
➢ Significant digit code
➢ Sequence code
➢ Mnemonic code
➢ Last digit code
➢ Identifiers
➢ Check digit code
◆ Standard glossary and standard abbreviations
- Terms and abbreviations that are unique to
a particular installation should be carefully
defined
 - Use of non-standard terms and
abbreviations should be prohibited to make
review of documentation easier
◆ Standard program routines
- A subroutine is a portion of code within a
larger program that performs a specific task
and is relatively independent of the
remaining code
- Also called procedure, function, routine,
method, or subprogram
- The main sequence of logic in a program
can branch off to a common routine when
necessary. When finished, the routine
branches back to the next sequential
instruction following the instruction that
branched to it
◆ Standard job control procedures
- Provides the interface between the
application program and the operating
system
◆ Debugging
- Standard technique for debugging increases
the chance that errors will be found and
provide a trail of program changes, thereby,
reducing the opportunity for unauthorized
program change
◆ Auditing conventions
- The programming standards manual should
include a list of required controls and audit
features
4. User, Accounting, and Audit Participation
- Ensures that users’ requirements are met by the system
- User participation represents commitment and approval
- Users recognize their responsibility and their dependence on the
output
- Audit participation provides the opportunity to make suggestions
regarding improvements in internal control
5. Technical, Management, User, and Auditor Review and Approval
- Review and approval ensures that the system has adequate
controls and is acceptable to all stakeholders
- Technical level
➔ Work outputs for each phase should be reviewed and
approved by the systems and programming supervisors
 before submission to users, auditors and management for
approval
- Output level
➔ Requires that users, auditors and management review and
approve the work output at the end of each phase
6. System Testing
- An important control because it is the last opportunity to discover
and correct problems before implementation of the system
- Purpose:
➔ To ensure that the system will operate in conformance with
the design specifications
➔ To determine whether the system’s operations meets user
requirements
➔ To test all application controls if they will work as intended
➔ To verify that errors in input, processing and output will be
detected
- Program tests
➔ Testing of the processing logic of the programs
- String tests
➔ Instead of a single program, they are applied to a string of
logically related programs
- System tests
➔ Applied to all programs in the systems to check if they will
function if they run at the same time
7. Final Approval
- Provides an opportunity to examine the final test results to make a
final judgment
- It should be given by management, users and IT or EDP
personnel before the system is implemented
8. Conversion and Migration Control
- Controls to prevent and detect errors when converting and
migrating files to the new system
- Date conversion
➔ The translation of computer data from one format to
another
- Data migration
➔ The process of transferring data from one system to
another; generally, migration requires data conversion
- Control procedures:
➔ File conversion approval should be obtained before the
process begins to ensure that the files being converted are
fully controlled
➔ The original and the new files can be reconciled through
record counts, hash totals or amount totals
 ➔ Compare records from the original fimes and with the new
files to ensure that there are no discrepancies
➔ Confirmation requests may be sent to third parties asking
them to confirm the data that relates to them
➔ Operational approval should be obtained from the users
after they had used the system a few times, which served
as the “acceptance tests”
◆ Approval indicates their satisfaction with the way
the system is operating
- After new system is migrated and is being used, they are allowed
a little time to check if the system is performing its purpose - if
satisfied, will conduct acceptance test
9. Post-implementation Review
- Talking about the system optimization (part of implementation
phase)
➔ System is evaluated to find areas that needs improvement
(continuous process)
- Conducted to:
➔ Determine if the system is operating as intended
➔ Evaluate the effectiveness of the entire process of
developing the system. “The feedback from this review is
useful to the external auditor as it indicates that controls
are either functioning as desired or not”
10. Program Change Control
- During the system implementation, whether there are no errors or
bugs, there will still changes to continue the improvement of the
system
- Strong systems development controls are negated if subsequently,
unauthorized modifications to the programs are performed due to
inadequate program change control
- Program changes result from a desire to improve the system, the
need to adjust to changing business conditions or the need to
incorporate new operating, accounting and control policies
- The objective of program change control is to ensure that all
program change requests are approved and authorized and that
all approved and authorized program change requests are
completed
➔ Systems personnel
◆ Allowed personnel / authorized personnel who are
already running the program
➔ Production program
◆ Program that actually produces financial reports
- Controls:
 a. Program changes should be in accordance with
established systems, programming and documentation
standards
b. Program changes should be restricted to systems
personnel; operating personnel should not make changes
to programs - even temporary changes to facilitate the
running of a program
c. The changes should be reviewed and approved by the
user to ensure conformity with the purpose of the change
d. Changes should be made to the test program and not the
production program to limit the opportunities to make
unauthorized changes to the production program
e. Changes should be tested thoroughly before
implementation
f. Program changes and test results should be reviewed and
approved
g. User and operating personnel should be retrained, if
needed, to handle new procedures
h. All documentation affected by the change should be
updated
i. Controls should be established over he conversion to the
new program; the conversion is accomplished by:
➔ Changing the new program to a production status
➔ Copying the old program to a back-up file and
deleting it from the library of production programs
j. Conversion should not be permitted before approval of the
test results and completion of changes to documentations
k. Final approval should be given by data processing
management and the user
- Review and tests of compliance for Systems Development Controls
1. Review the systems development standards manual to determine the
existence of policy and guidelines
2. Select application from those in operations and verify if the standards are
being met
3. Examine selected flowcharts, decision tables, and coding sheets to
ascertain that conventions and procedures are followed
4. Check appropriate documents and related approvals for evidence that the
user and accounting departments have an adequate understanding of
systems inputs, processing procedures, controls, and systems outputs
5. Review test data and the resulting output to determine if testing is
reasonably comprehensive
6. Review the results of program and string tests to ensure that such tests
are thorough and sufficient
 7. Evaluate the results of systems test of valid and invalid transactions to
confirm that the systems as a whole is being tested adequately
8. Review the procedures for reconciling output produced during pilot and
parallel testing
9. Review plans for controlling the conversion and migration from the old
system to the new system to check if the plans are sufficient to ensure
that data on the new files are accurate and complete
➔ Electronic vs manual conversion
➔ Migration of balances only or with details of transactions or
transaction history
➔ Gradual migration or parallel or all-at-once
10. Evaluate the procedure used to reconcile the original and new files
11. Examine discrepancy reports for evidence of appropriate correction of
errors
12. Interview systems development staff, users and management to
determine their views on the effectiveness of controls in the system
13. Review documentation in support of program changes to determine
whether the changes have been approved properly
14. Examine results of tests performed on modified programs to ascertain
that modifications were done correctly
5. Documentation Controls
- Should be completed prior to implementation phase
Documentation
- Consists of documents and records which describe the system and procedures
for performing a data processing task
- A means of communicating both the essential elements of a system and the logic
followed by the computer programs
- An integral part of the systems design and documentation process
- Purposes of documentation
1. Provides a source of information for systems analyst and programmers
who are responsible for maintaining and changing existing systems and
programs
2. Provides explanatory information necessary for review of proposed
systems and programs
3. Serves as basis for training new personnel
4. Provides data necessary for responding to inquiries regarding the
operation of a computer program
5. Basis for communicating common information to systems analysts,
programmers and computer operators
6. It provides computer operators with current operating instructions
7. Preserves continuity when experienced personnel leave the organization
8. It is a source of information about accounting controls
- What constitutes adequate documentation?
1. Problem definition documentation
 - A permanent summary of the problem solved by the systems
- It represent the basic source of information regarding the purpose
of the system
- In organizations that utilizes a standard systems development
approach, the original source of the problem definition information
is the project plan, also called project charter or systems
planning study report
- Inclusions:
a. Description of the reasons for implementing the system
including the objectives and scope of the project
b. System specifications describing the operations performed
by the system
c. Evidence of approval and any subsequent changes in
systems specifications
2. Systems documentation
- A record of the way information flows through the system from
input to file medium and then onto output
- It permits the tracing of the theoretical flow of accounting data
from the original entry to the system output
➔ Useful for the auditors in evaluating the adequacy of the
audit trail provided by the systems
- Inclusions:
a. Systems flowchart
b. Input descriptions
- Identify the type of source documents use
- For example, this may be a description of the Time
Keeping System as a source of time data in a
payroll or labor distribution system
c. Output descriptions
- Show each type of output generated by the system
- Defines where the output is stored, what files are
updated, the medium of providing the users (screen
displays or printed copies), the use of the output,
who uses it, when is it used and the frequency of
need
d. File description
- Lists individual files and describe the scope and
functions of each file
- For example, a customer master file may be
described as containing customer data, i.e.,
customer name, delivery address, billing address,
contact number, credit limit, payment terms etc
e. Control description
 - Summarize the main control features that are
designed into the system, e.g., general controls and
application program controls
f. Change summary
- List of all changes that have been made and their
effective dates along with copies of authorizations
of these changes
3. Program documentation
- Focuses on detailed information regarding each program in the
system
- The detailed information is used to maintain effective control over
program changes and to define the current status of each program
- Inclusions:
a. Brief narrative description of the functions of the program
b. Program flowcharts, or detailed logical narrative showing
how the program operates, e.g., whether all account
balances should be printed or just those with abnormal
balances
c. Listing of parameters used in the program such as tax
withholding table
d. A list of application controls such as data entry validation
and output controls
e. Detailed description of file formats and record layouts;
typical information includes the names of all fields within a
record, field location, filed sizes and field data character
type
f. A description code values, for example codes used to
identify transactions being processed
g. A record of all program changes, including test results,
authorization for the changes, and their effective dates
4. Operations documentation
- The information provided to enable the computer operator to run
the computer program
- It is known as Systems and Procedures Manual, or simply
Operations Manual.
- Inclusions:
a. A brief narrative that indicates the purpose of the program
b. An input/output chart that lists all the inputs and outputs
required for processing the program and the sequence in
which they are to be used
c. A description of input/output forms and formats, including
an output distribution list, provided for the operators’
guidance
 d. A list of set-up instructions and operating systems
requirements
e. A list of all program error messages and halts with the
description of the action to be taken in response to each
error message and halt condition
f. Detailed instructions regarding recovery and restart
procedures to be used in the event of hardware or software
malfunction
g. A list of estimated normal and maximum runtime
h. A list of instructions to the operator in case of emergency
5. User documentation
- A step by step guide that the users can refer to as they use the
system
- Useful in training new or replacements personnel
- Valuable for the auditor in understanding the user’s role in the
processing of data and evaluating the degree of control provided
by the user
- Inclusions:
a. A nontechnical description of the system including the
benefits the user may derive from it
b. A description of the types of source documents required,
such as purchase orders
c. A description of the form and purpose of each output
received by the users
d. Detailed instructions for the use of control procedures with
identification of responsibility for the performance of these
control procedures
➔ Responsibility is defined by positions and not
by individual person
e. Procedures for correcting errors in input data or in
processing that are detected by the user
f. Instructions for handling additions, deletions, or corrections
to files
g. Procedures for cutoff of data submitted for processing,
including dates and times for final submission of data
h. A checklist for review of reports for completeness and
accuracy
6. Hardware Controls
- Provided by the hardware manufacturers
- Today’s computer are designed to be very reliable and most of them have built-in
hardware controls
- Even with this, it is essential that the auditor evaluate the impact of hardware
controls on the system reliability
- Hardware controls:
1. Redundant character check
- A bit, two bits or a set of bits for the purpose of detecting errors
- Data are stored in binary codes: sequence of zeros and ones
(bits)
- The single parity bit is the creation of an additional bit for each
character processed
- The computer counts the number of 1 bits in each character to
determine if the count is odd or even
- In an odd parity bit check, the computer will add a parity bit of 0 if
the count is odd, and a 1 if the count is even
- Redundant means extra (extra character)
2. Duplicate process check
- Uses the principle of complementary operation to detect and
correct errors
- An operation is performed twice, then the results are compares;
any differences indicates a hardware induced error
3. Echo check
- The purpose is to ensure that commands sent to peripherals or
remote equipment are obeyed and that data are received correctly
- The peripherals or remote equipment send back (echo) a signal
verifying that the command has been received and complied with
4. Equipment check
- Controls built in into the circuitry of the computer to ensure that the
equipment is functioning properly and, where necessary,
automatic error correction
- These automatic error correction are either:
➔ Automatic error diagnosis, or
➔ Automatic retry
5. Validity check
- To ensure that actions taken by the computer are valid
➔ Operation validity: ensures that only valid instructions are
performed
➔ Character or field validity check: compares data characters
of file that are written or read with a set of all valid
characters or field
➔ Address validity: check of storage location in memory or in
a peripheral device
6. Power protection
- Protects the hardware from power fluctuations (spikes or surges)
- Enable the computer to continue operations in case of power
interruptions (UPS - uninterruptible power supply)
7. Operational manual controls
a. Equipment failure logs
b. Environmental controls
 - Dust, temperature, humidity
c. Formal recovery procedures
d. Preventive and corrective maintenance
- Review and test of compliance for Hardware Controls
➔ NOT ALL CONTROLS are present in hardware - the more control is
present, the more expensive is the hardware
1. Inquire regarding the make, model, size and number of computer and
peripheral hardware device
2. Review vendor literature or other documentation to determine what
hardware controls are available
3. Review error logs to determine the frequency of hardware-induced errors
4. Review equipment failure logs, downtime reports, maintenance reports
and other operating statistics to determine the reliability of the hardware
5. Review operations documentation to determine the adequacy of operator
error-handling procedures, media controls and recovery procedures
6. Utilize technical assistance to help evaluate the effectiveness of hardware
controls
7. System Software Controls
System software
- A set of program routines that perform system level functions of management*,
application program support, tasks common to many application
*includes both the control of all operations and the allocation of the resources,
i.e., CPU time, memory, input/output devices among the various application
programs
1. Controls to handle errors
a. Read or write error routines
➔ Retry, diagnose, propose action - close, etc.; prevents
erroneous overwriting of existing record of files
b. Record length checks
c. Storage device check
➔ Signals if a storage device is not operational
2. Controls for program protection
- Prevent application programs with interfering with each other
during processing
a. Boundary protection
➔ Assignment of memory partitions to programs in
multiprogramming environment
b. Control over external reference (subroutines) in linkage editing
c. Library program software
- Library is connected programs
➔ Restriction of access to use and change of programs:
◆ Passwords: used to limit access to programs
 ◆ Encryption: secret coding that prevents
understanding of the program without the
necessary key
◆ Library software control reports: program listing
identifying the version of each program, run date,
last copied, last changed to ensure that the current
authorized version is used
3. Controls for file protection
- File is collection of record (may be master file or transaction file)
- To prevent unauthorized use or modification of data
a. Checking internal file labels
- To prevent processing of wrong files, and premature
destructions
b. Storage protection
- Prevents inadvertent overwriting
c. Memory clear
- Removes the risk of sensitive data being available for
subsequent access
- Scratch file
➔ Located in memory, like scratch paper for
computation before placing in file
➔ Must have memory clear to avoid unauthorized
access
4. Security protection
a. Maintenance of logs and activity information
b. Password monitoring
5. Self protection
a. Segregation of duties
- Assignment of responsibilities for systems software,
application software, library and operations should be
separated
b. Hardwiring
- Encode the software logic in hardware; modification can
only be done by the removal and replacement of the
hardware
- Review and test of compliance for Systems Software Controls
1. Review vendor literature and in-house documentation for additions and
changes performed by systems personnel for controls that are available
2. Review the list of controls that are utilize to determine whether they match
the control objectives
3. Check the adequacy of authorization and control over the implementation
of, and changes to systems software
4. Review the segregation of duties of systems software development and
maintenance or operating personnel
 5. Review the results of pre-implementation testing of systems software
6. Review computer utilization logs and activity reports for unauthorized
usage and changes to systems software
7. Utilize technical help to evaluate the effectiveness of systems software
controls
8. System Security Controls
- Security
➔ Protection
- Facilities are the location of the computer or hardware (room, table)
- Equipments are hardware and devices
- System security
➔ The protection of computer facilities, equipment, programs and data from
destruction by environmental hazards, by equipment error, software error,
or human error, or by computer abuse
◆ Environmental hazards
● Include fire, floods, tornadoes, earthquakes and other acts
of God
● Generally occur INFREQUENTLY but with a high cost of
occurence
◆ Errors
● Include damage to disk storage by faulty disk drives,
mistakes in application programs that destroy or damage
data, and operator mounting of incorrect files
● Generally FREQUENT but at low cost per incident
● Unintentional
◆ Computer abuse
● The violation of a computer system to perform malicious
damage, crime or invasion of privacy
○ Malicious damage includes looting or sabotage
○ Crime includes embezzlement, industrial
espionage, and the sale of commercial secrets
○ Invasion of privacy includes discovery of
confidential salary information, and the review of
sensitive data by a competing company (financial
information)
● Intentional (with bad intentions)
- System security controls
➔ Are general controls that prevent failures in systems security and provide
for recovery from failures in system security
➔ Generally categorized as:
1. Controls that provide a secure system (PREVENTION)
a. Security Management
i. Establish security objectives
ii. Evaluate security risks
 iii. Develop a security plan
iv. Assign responsibilities
v. Test system security
vi. Evaluate system security
b. Facilities Security Controls
i. Location controls
ii. Construction controls
iii. Access controls
- Conventional keys
- Magnetic strip cards
- Devices that can read physical
characteristics, e.g. finger prints
- Signature verification system
c. Library Controls
i. Library function for access controls
- Authorized users
- Usage log
ii. Physical file control
- Internal header and trailer labels
➔ Internal header
- beginning
➔ Trailer
- ending
- External labels
- Protection rings
➔ No ring, no write (save)
- Read-only switch
d. On-line Access Controls
i. Physical security of terminals
- Use of terminal locks
ii. Authorization controls
- Authorized users
● Programs and data files that each
user can access should be identified
in the authorization scheme
- Authorized terminals
● Sample: may desktop (terminal) na
isa lang pwedeng mag-access and
gumamit
○ Di magagamit ng iba ang
terminal
○ Sa desktop lang magagamit
ang username at password
 (so di sya makakalog kung di
same terminal ang gamit)
iii. Identification controls
- Terminal identification
- User identification (passwords)
- Physiological key
➔ Handprints, thumbprints
- Special key
➔ Magnetic stripe cards
➔ Optically encoded badge

Some rules concerning PASSWORDS:

- Passwords should not be chosen because they are
easy to remember
- Should not be shared nor displayed
- Password file should be protected by the operating
system
- Unsuccessful attempts should be monitored
- Should be changes periodically
- More effective when used in combination with other
techniques

e. Data Communication Access Controls

i. Fragmentation
- Communication of a message one part
(fragment) at a time
ii. Intermixing
- Communication of several messages
simultaneously
iii. Encryption
- Encoding of data to disguise their meaning
2. Controls for detecting failures in systems security (DETECTION)
a. Unauthorized Access Detection Devices
i. Micro-switches detects the presence of an intruder
by breaking or completing an electrical circuit
ii. Beams - could be light, laser, ultraviolet or infrared
iii. Ultrasonic (soundwaves) and radar detectors; these
detect movements
iv. Microphones - sound can trigger an alarm
b. Fire Detection Devices
i. Heat-sensitive devices - fusible links built into the
nozzles of sprinkler systems
ii. Smoke-sensitive devices
c. Authentication
 i. Further identification information made periodically
during use of the terminal
ii. Disconnecting and calling back the terminal
iii. Authenticity code
d. Systems Monitoring
i. CCTV
ii. Disconnection after repeated unsuccessful
attempts
iii. Log of all access failures
3. Controls for recovery from systems security failures
(CORRECTION AND RECOVERY)
a. Failure Bypass Procedures
b. Recovery Plan (Business Continuity Plan)
c. Recovery Procedures
i. Computer facilities and equipment
ii. Software
iii. Data / source documents
iv. Personnel
- Who is responsible for what
- Substitute in case of injury