Mindanao State University

College of Business Administration and Accountancy

DEPARTMENT OF ACCOUNTANCY
Marawi City

AUDITING IN A CIS ENVIRONMENT

Accounting 153

AN OVERVIEW OF THE CIS ENVIRONMENT

DATA PROCESSING – refers to the operations needed to collect and transform data into useful information. The
equipment and procedures used through which the result is achieved constitute a data processing system. Data
processing involves the basic operations of classifying, sorting, calculating, summarizing, recording, storing and
communicating.
a. Manual data processing – the operations in the process are performed by hands, using pen or pencil.
b. Mechanical data processing – this method utilizes mechanical equipments such as office machines and
bookkeeping machines are utilized to increase speed and accuracy.
c. Electronic data processing (EDP) – the data are converted into machine readable form and then processed
through electronic impulses. The processing of data takes place in a computer at incredibly high speed and
with minimum human intervention.

COMPUTER SYSTEM – refers collectively to all the interconnected hardware including the processors, storage
devices, input/output devices and communications equipment.
a. Computer hardware – the physical device that comprise a computer system. The principal hardware
component is the central processing unit (CPU) which performs the processing functions which include the
storage of information, arithmetic and logic operations and control. Additionally, the CPU controls the
input and output devices.
 Main storage unit – used to temporarily store programs and data for processing.
 Arithmetic and logic unit – performs the arithmetic tasks (addition, subtraction, multiplication
and division), comparisons and other types of data transformations. The data and instructions
needed for the operation are called from the computer’s main storage. After the operation, the
results are returned to the main storage unit.
 Control unit – regulates the activities of the other devices by retrieving machine language
instructions from the main storage units and then interpreting instructions.
 Input devices – prepare and insert data and instructions into the computer after translating them
into computer language. Examples are the keyboards and bar code reader.
 Output devices – translate the processed data back into the language of written words out of the
computer to the accountant or other users. Examples are the monitor and printers.
b. Computer software – the programs, routines and procedures used to direct the functions of a computer
system.
 Systems software – operates the computer system and performs routine tasks for the users. It helps
the operator use the machine and generates interaction between the computer, its peripherals, other
programs and sets of data to be used and the operator himself. The system software also translates
programming languages.
i. Operating system – a set of highly complex set of programs designed to serve as a means
of communication between the computer and hardware and human operator; schedule,
load, initiate and supervise the execution of programs; initiate and control input and
output operations; and manage and control compilers and utility programs.
ii. Utility programs – a program or group of programs designed to perform commonly
encountered data handling functions such as sorting files and copying data from one file
to another.
iii. Compilers and interpreters – compilers are programs that translate high level languages
(source code) into machine language (object code), which can be placed into the main
storage and executed. Interpreters exactly do the opposite of what compilers do.
 Applications software – programs that help the operator use the computer to do specified tasks or
to solve particular processing jobs.
c. Computer installations – are the facilities where the computer hardware and personnel are located.
Computer installations are generally organized into one of the following categories:
 In-house or captive computer – the organization owns or leases the equipment and hires the
necessary trained personnel to program, operate and control the various applications processed
with the equipment.
 Service bureau computer– the computer is used by an independent agency which rents computer
time and provides programming, key punching and other services. The user organization pays only
for the computer time and other services it uses.
 Time sharing – under this system, the organization acquires a keyboard device capable of
transmitting and receiving data and by agreement, the right to use a central computer facility. This
facility will furnish service to several users at the same time. The user company does most of its
own programming and treats the computer as though the company were the one using it. When the
company needs service, it accesses the computer facility by means of a communication line,

Prepared by: Mohammad Muariff S. Balang, CPA, Second Semester, AY 2012-2013 Page | 1
 submits its user number and password, calls for its files and then begins to process the necessary
data.
 Facilities management – falls somewhere between the captive computer and the service bureau
computer categories. Under this system, the organization needing computer services may lease or
purchase the necessary hardware and install it on its own premises. Then by negotiation, an
outside contractor with the necessary staff of programmers and operators agrees to manage the
facility. In some instances, the contractor may own or lease the equipment.

STAND-ALONE PERSONAL COMPUTERS

A personal computer (PC) can be used in various configurations. These include:
a. A stand-alone workstation operated by a single user or a number of users at different times.
b. A workstation which is a part of a local area network (LAN) of PCs.
c. A workstation connected to a server.
In a stand-alone PC environment, it may not be practicable or cost-effective for management to implement sufficient
controls to reduce risks of undetected error to a minimum level. After obtaining the understanding of the accounting
system and control environment, the auditor may find it more cost effective not to make further review of general
controls or application controls, but to concentrate audit efforts on substantive audit procedures.

NETWORK ENVIRONMENT
A network environment is a communication system that enables computer users to share computer equipment,
application software, data and voice and video transmissions. A file server is a computer with an operating system
that allows multiple users in a network to access software applications and data files. Basic type of networks
includes:
a. Local area network (LAN) – an arrangement where two or more personal computers are linked together
through the use of special software and communication lines. A LAN allows the sharing of resources such
as storage facilities and printers.
b. Wide area network (WAN) – created to connect two or more geographically separated LANs. A WAN
typically involves one or more long-distance providers, such as a telephone company to provide the
connections.
c. Metropolitan area network (MAN) – a type of network that multiple buildings are close enough to create
a campus but the space between the buildings is not under the control of the company.
A network’s topology pertains to how the various elements of the network are arranged. A network can be arranged
in various forms as follows:
a. Star topology – a network of computers with a large central computer (the host). The host computer has
direct connections to smaller computers, typically a desktop or laptop PCs. All communications must go
through the host computer, except for local computing.
b. Hierarchical or tree topology – a host computer is connected to several levels of subordinate smaller
computers in a master-slave relationship.
c. Ring topology – this configuration eliminates the central site. All nodes in this configuration are of equal
status (peers). In this arrangement, the responsibility for managing communications is distributed among
the nodes. Common resources that are shared by all nodes can be centralized and managed by a file server
that is also a node.
d. Bus topology – the nodes are all connected to a common cable – the bus. Communications and file
transfers between workstations are controlled by a server. It is generally less costly to install than a ring
topology.
e. Mesh or double star topology – similar to star topology but with greater redundancy. It offers the greatest
resiliency but most expensive to implement.
f. Client-server architecture – distributes the processing between the user’s (client’s) computer and the
central file server. Both types of computers are part of the network but each is assigned functions that it
best performs. This approach reduces data communications traffic, thus reducing queues and increasing
response time.
g. Cloud computing – is an internet based computing whereby shared resources, software and information
are provided to computers and other devices on demand like the electricity grid. In general, the customers
do not own the physical infrastructure, instead avoiding capital expenditure by renting usage from a third
party provider. They consume resources as a service and pay only for resources that they use.

Figure 1 – Forms of Network Topology

Some devices and peripherals are needed for a network to exist and properly function. Computer networks warrant
or may warrant the use:
a. Network interface cards (NICs) – are circuit boards used to transmit and receive commands and messages
between a PC and a LAN.

Prepared by: Mohammad Muariff S. Balang, CPA, Second Semester, AY 2012-2013 Page | 2
 b. Modems – a device that modulates and demodulates signals. They are primarily used for converting digital
signals into quasi-analog signals for transmission over analog communication channels and for
reconverting the quasi-analog signals into digital signals.
c. Repeaters – offer the simplest form of interconnectivity. They merely generate or repeat data packets or
electric signals between cable segments.
d. Hubs – hubs concentrate connections. In other word, they take a group of hosts and allow the network to
see them as a single unit.
e. Bridges – a bridge is a device that connects similar or dissimilar LANs together to form an extended LAN.
It can also connect LANs and WANs. Bridges are protocol independent devices and are designed to store
and forward frames destined for another LAN.
f. Switches – workgroup switches add more intelligence to data transfer management. They can determine if
data should remain on a LAN and transfer data only to the connection that needs it. Another difference
between a bridge and switch is that a switch does not convert data transmission formats.
g. Routers – routers have both LAN and WAN interfaces. Routers are the backbone devices of large intranets
and of the internet. They select the best path and switch packets to the proper interface.
h. Gateways – used to connect LANs to host computers. Gateways act as translators between networks using
incompatible transport protocols. A gateway is used to interconnect networks that may have different
architectures.
Processing information in a network can also be done in various ways including:
a. Centralized processing – a system where processing is done at a central location using terminals that are
attached to a central computer. The computer itself may control all the peripherals or they may be attached
via terminal server.
b. Distributed data processing – a system with several computers that are connected for communication and
data transmission purposes but where each computer can also process its own data.
c. End user computing – a system in which the end user is responsible for the development and execution of
the computer application that he or she uses.

ON-LINE COMPUTER SYSTEMS

On-line computer systems are computer systems that enable users to access data and programs directly through
terminal devices. Types of terminal devices used in on-line systems include:
a. General purpose terminals – basic keyboard and screen, intelligent terminal, PCs.
b. Special purpose terminals – point of sale devices and automated teller machines (ATMs).
On-line systems allow users to directly initiate various functions such as entering transactions, making inquiries,
requesting reports, updating master files and conducting e-commerce activities. On-line computer systems can be
classified as follows:
a. On-line/real time processing – individual transactions are entered at terminal devices, validated, and used
to update related computer files immediately.
b. On-line/batch processing – individual transactions are entered at a terminal device, subjected to certain
validation checks and added to a transaction file that contains other transactions entered during the period.
Later, during a subsequent processing cycle, the transaction file may be validated further and then used to
update relevant master file.
c. On-line/memo update and subsequent processing – combines on-line/real time and on-line/batch
processing. Individual transactions immediately update a memo file containing information that has been
extracted from the most recent version of the master file. Inquiries are made from this memo file. These
same transactions are added to a transaction file for subsequent validation and updating of the master file
on a batch basis.
d. On-line/inquiry processing – restricts users at terminal devices to making inquiries of master files. Master
files are update by other systems, usually on a batch basis.
e. On-line downloading/uploading processing – on-line downloading refers to the transfer of data from a
master file to an intelligent terminal device for further processing by a user.

DATABASE SYSTEMS
Database systems have two components, namely:
a. Database – composed of data which are set up with defined relationships and are organized in a manner
that permits many users to use the data in different application programs.
b. Database management system (DBMS) – software that creates, maintains and operates the database. It is
a special software system that is programmed to know which data elements each user is authorized to
access. The user’s program sends requests for data to the DBMS, which validates and authorizes access to
the database in accordance with the user’s level of authority. If the user requests data that he or she is not
authorized to access, the request is denied.
Database systems are characterized by:
a. Data sharing – ability of a database to allow multiple users to access information at the same time.
b. Data independence – it refers to the immunity of user applications to make changes in the definition and
organization of data.
Database processing is dependent on an on-line/real time system.

Prepared by: Mohammad Muariff S. Balang, CPA, Second Semester, AY 2012-2013 Page | 3
Generally, internal control in a database environment requires effective controls over the database, the DBMS and
the applications. User access to the database can be restricted through the use of passwords. These restrictions apply
to individuals, terminal devices and programs.
a. Discretionary access controls – allow users to specify who can access data they own and what action
privileges they have with respect to that data.
b. Mandatory access controls – require a database administrator to assign security attributes to data that
cannot be changed by database users. In effect, the users are not permitted to see or update all data in the
database.

STYSTEMS ACQUISITION, DEVELOPMENT AND IMPLEMENTATION

SYSTEMS ANALYSIS AND DESIGN – a systematic approach to identifying problems, opportunities and
objectives, analyzing the information flow in organizations and designing computerized information systems to
solve a problem. New systems are developed or acquired because of the following reasons:
a. To answer a business need.
b. To solve a particular set of problems.
To satisfy a company’s information processing needs, the company may use proprietary software packages or make
use of its own company employees and/or consultants to develop a system (in-house development). Fundamental
approaches in developing in-house information system are prototyping and pre-specifications.

SYSTEMS DEVELOPMENT LIFE CYCLE (SDLC) – a systematic approach to solving business problems. The
cycle involves a logical sequence of activities used to identify new systems needs and to develop new systems to
support those needs. Each phase in the cycle has unique activities and widely varies from one organization to
another.
a. Feasibility phase – involves systems planning and system evaluation and selection
 System planning – aims to link individual system projects or application to the strategic objectives
of the firm.
 System evaluation and selection – an optimization process that seeks to identify the best system.
i. Perform a detailed feasibility study – should cover the technical, legal, operational and
schedule feasibility of the system.
ii. Perform a cost-benefit analysis – entail the use of capital budgeting techniques.
b. Requirement specification – involves systems analysis and conceptual systems design.
 Systems analysis – involves two-step process involving first a survey of the current system and
then an analysis of the user’s needs.
 Conceptual systems design – this stage’s purpose is to produce several alternative conceptual
systems that satisfy the system requirements identified during systems analysis.
c. Systems design – the goal of this phase is to produce a detailed description of the proposed system that
both satisfies the system requirements identified during systems analysis and is in accordance with the
conceptual design. In this phase, all components are meticulously specified. After completing this phase,
the development team usually performs a system design walkthrough to ensure that the design is free from
conceptual errors that could become programmed into the final system.
d. Systems development and programming – programs are written to create the software necessary to make
the information system operational. This phase includes the following activities:
 System specifications review.
 Program identification and description.
 Program coding.
 Testing the application software.
 Documentation.
e. Systems conversion and implementation – database structures are created and populated with data,
equipment is purchased and installed, employees trained, the system is documented and the new system is
installed. Common approaches to systems conversion:
 Parallel conversion – operates the old and new system simultaneously.
 Direct conversion – involves immediate conversion to the new system throughout the
organization.
 Phased conversion – the information system is implemented one module at a time by either
parallel or direct conversion.
 Pilot conversion – the new system is implemented by parallel, direct or phased conversion as a
pilot system in only one of the several areas for which it is targeted.
 Prototype conversion – involves developing and putting into operation successively more refined
versions of the system until sufficient information is obtained to produce a satisfactory design.
f. Post-implementation review and system maintenance – after implementing the system, a critical
examination of the system must be made so as to check on the progress of the implementation and if certain
correcting measures has to be made. Throughout the life of the system also, a continuing monitoring,
evaluation and modification of the system has to be done to ensure that objectives are achieved or new
needs or problems are addressed.

Prepared by: Mohammad Muariff S. Balang, CPA, Second Semester, AY 2012-2013 Page | 4
The participants in the systems development are:
a. Systems professionals – are the system analysts, systems engineers and programmers. These individuals
actually build the system.
b. End users – are those for whom the system is built.
c. Stakeholders – are individuals either within or outside the organization who have an interest in the system
but are not end users.
d. Accountants and auditors – are the individuals who address the controls, accounting and auditing issues
for systems development. Accountants are involved in the SDLC in three ways as users, as members of the
development team and as auditors.
The SDLC process is of interest to accountants and auditors for two reasons:
a. The creation of an information system entails significant financial transactions.
b. The quality of accounting information rests directly on the SDLC activities that produce accounting
information systems.

INTRODUCTION TO CIS AUDIT

A CIS environment exists when a computer of any type or size is involved in the processing by the entity of
financial information of significance to the audit; whether the computer is operated by the entity or by a third party.
The overall objective and scope of an audit does not change in a CIS environment. However, a CIS environment
may affect:
a. The procedures followed in obtaining a sufficient understanding of the accounting and internal control
systems.
b. The consideration of inherent and control risk.
c. The design and performance of tests of controls and substantive procedures.
In this regard, the auditor should have sufficient knowledge of the CIS to plan, direct and review the work
performed. If specialized skills are needed, the auditor would seek the assistance of a professional possessing such
skills, who may be either on the auditor’s staff or an outside professional.
In planning the portions of the audit which may be affected by the client’s CIS environment, the auditor should
obtain an understanding of the significance and complexity of the CIS activities and the availability of data for use
in the audit. When the CIS environment is significant, the auditor should also obtain an understanding of the CIS
environment and whether it may influence the assessment of inherent and control risks.
The auditor should consider the CIS environment in designing audit procedures to reduce the audit risk to an
acceptably low level. The auditor can use either manual audit procedures or computer assisted audit techniques
(CAATs) or a combination of both to obtain sufficient evidential matter.
An audit in a CIS environment is generally divided into three phases:
a. Audit planning – this phase consists of both short-term planning and long-term planning and has risk
analysis as one of its major part.
 Short-term planning – takes into account audit issues that will be covered during the year.
 Long-term planning – relates to audit plans that will take into account risk-related issues regarding
changes in the organization’s IT strategic direction that will affect the organization’s IT
environment.
 Risk analysis – helps identify risks and vulnerabilities so the auditor can determine the controls
needed to mitigate those risks. The auditor is often focused toward high-risk issues associated with
confidentiality, availability or integrity of sensitive and critical information and the underlying
information systems and processes that generate, store and manipulate such information.
b. Test of controls or compliance testing – to determine whether adequate internal controls are in place and
functioning properly.
c. Substantive testing – can be performed either with or without the use of computers. Also, the auditor must
consider that in a CIS environment, the information needed to perform substantive tests is contained in data
files that often must be extracted using computer assisted audit tools and techniques (CAATs) software.

CHARACTERISTICS AND CONSIDERATIONS IN A CIS ENVIRONMENT

ORGANIZATIONAL STRUCTURE – characteristics of a CIS organizational structure includes:
a. Concentration of function and knowledge – although most systems employing CIS methods will include
certain manual operations, generally, the number of persons involved in the processing of financial
information is significantly reduced.
b. Concentration of programs and data – transaction and master file data are often concentrated, usually, in
machine-readable form, either, in one computer installation located centrally or in a number of installations
distributed throughout the entity.

NATURE OF PROCESSING – the use of computers may result in the design of systems that provides less visible
evidence than those using manual procedures. In addition, these systems may be accessible by a larger number of
persons. System characteristics that may result from the nature of CIS processing include:

Prepared by: Mohammad Muariff S. Balang, CPA, Second Semester, AY 2012-2013 Page | 5
 a. Absence of input documents – data may be entered directly into the computer system without supporting
document. In some on-line transaction systems, written evidence of individual data entry authorization may
be replaced by other procedures such as authorization controls contained in computer programs.
b. Lack of visible audit trail – the transaction trail may be partly in machine-readable form and may exist
only for a limited period of time.
c. Lack of visible output – certain transactions or results of processing may not be printed or only a summary
of data may be printed.
d. Ease of access to data and computer programs – data and computer programs may be accessed and
altered at the computer or through the use of computer equipment at remote locations. Therefore, in the
absence of appropriate controls, there is an increased potential for unauthorized access to, an alteration of,
data and programs by persons inside or outside the entity.

DESIGN AND PROCEDURAL ASPECTS – the development of CIS will generally result in design and
procedural characteristics that are different from those found in manual systems. These different design and
procedural aspects of CIS include:
a. Consistency of performance – CIS perform functions exactly as programmed and are potentially more
reliable than manual systems, provided that all transaction types and conditions that could occur are
anticipated and incorporated into the system. On the other hand, a computer program that is not correctly
programmed and tested may consistently process transactions or other data erroneously.
b. Programmed control procedures – the nature of computer processing allows the design of internal
control procedures in computer programs.
c. Single transaction update of multiple or data based computer files – a single input to the accounting
system may automatically update all records associated with the transaction.
d. Systems generated transactions – certain transactions may be initiated by the CIS itself without the need
for an input document.
e. Vulnerability of data and program storage media – large volumes of data and the computer programs
used to process such data may be stored on portable or fixed storage media, such as magnetic disks and
tapes. These media are vulnerable to theft, loss or intentional or accidental destruction.

INTERNAL CONTROL IN A CIS ENVIRONMENT – GENERAL CONTROLS

GENERAL CIS CONTROLS – relate to all EDP applications and are implemented to establish a framework of
overall control over the CIS activities and to provide a reasonable level of assurance that the overall objectives of
internal controls are achieved. General controls may include:
a. Organization and management controls – designed to define strategic direction and establish an
organizational framework over CIS activities, including:
 Strategic information technology plan.
 CIS policies and procedures.
 Segregation of incompatible functions.
 Monitoring of CIS activities performed by third party consultants.
b. Development and maintenance controls – designed to provide reasonable assurance that systems are
developed or acquired, implemented and maintained in an authorized and efficient manner. They also
typically designed to establish control over:
 Project initiation, requirements definition, systems design, testing, data conversion, go-live
decision, migration to production environment, documentation of new or revised systems and user
training.
 Acquisition and implementation of off-the-shelf packages.
 Request for changes to the existing systems.
 Acquisition, implementation and maintenance of system software.
c. Delivery and support controls – designed to control the delivery of CIS services including:
 Establishment of service level agreements against which CIS services are measured.
 Performance and capacity management controls.
 Event and problem management controls.
 Disaster recovery/contingency planning, training and file backup.
 Computer operations controls.
 Systems security.
 Physical and environment controls.
d. Monitoring controls – designed to ensure that CIS controls are working effectively as planned. These
include:
 Monitoring of key CIS performance indicators.
 Internal/external CIS audits.
Alternatively, general controls can be categorized into the following domains as per AICPA audit guide:
a. Organizational and operation controls – segregation of duties provides the control mechanism for
maintaining an independent processing environment, thus meeting control objectives.
 Segregate functions between the EDP department and user departments.
 Do not allow EDP department to initiate or authorize transactions.
 Segregate functions within the EDP department.

Prepared by: Mohammad Muariff S. Balang, CPA, Second Semester, AY 2012-2013 Page | 6
 Auditor’s test of control - should include inquiry, observation, discussion and review of an appropriate
organization chart, responsibility for initiating and authorizing transactions, discrepancies should be
reported and the appropriate controls recommended.

Figure 5 – Sample Organizational Structure Within a CIS Department

 CIS Director – exercise control over the CIS operation.

 Systems analyst – designs new systems, evaluates and improves existing systems and prepares
specifications for programmers.
 Programmers – guided by the specifications of the systems analyst , the programmers writes a
program, tests and debugs such programs and prepares the computer operating instructions.
i. Systems programmer – in charge of programs that make the hardware works such as
operating systems, telecommunications monitor and database management system.
ii. Applications programmer – in charge of programs for specific use.
 Computer operator – using the program and detailed operating instructions prepared by the
programmer, the computer operator operates the computer to process transactions.
 Data entry operator – prepares and verifies input data for processing.
 Data Librarian – maintains custody of systems documentation, programs and files.
 Control group – reviews all input procedures, monitors computer processing, follows up data
processing errors, reviews the reasonableness of output and distributes output to authorized
personnel.
b. Systems development and documentation controls – within EDP, new systems are developed that either
replace an old system or enhance present systems. This environment requires unique controls to ensure that
the integrity of the overall system is maintained.
 User department must participate in systems design.
 Each system must have written specifications which are reviewed and approved by management
and by user departments.
 Both users and EDP personnel must test new systems.
 Management, users and EDP personnel must approve new systems before they are place into
operation.
 All master file and transaction file conversion should be controlled to prevent unauthorized
changes and to verify the results on a 100% basis.
 After a new system is operating, there should be proper approval of all program changes.
 Proper documentation standards should exist to assure continuity of the system.
Auditor’s test of control – should determine that the system development procedures that exist are properly
functioning and are adequately documented and that all documentation pertaining to procedures, programs
or methodologies, should be up to date and written in clear and concise language.
c. Hardware and systems software controls – the reliability of EDP hardware has increased dramatically
over the years not only due to the advancements in technology but also due to the controls built into the
mechanism to detect and prevent equipment failures.
 Auditor should be aware of the control features inherent in computer hardware, operating system
and other supporting software and ensure that they are utilized to the maximum possible extent.
 Systems software should be subjected to the control procedures as those applied to installation of
and changes to application programs.
 Examples of hardware and software controls include:
i. Parity check – a special bit is added to each character stored in memory that can detect if
the hardware loses a bit during the internal movement of a character.
ii. Echo check – primarily used in telecommunications transmissions. During the sending
and receiving of characters, the receiving hardware repeats back to the sending hardware
what it received and the sending hardware automatically resends any characters that it
detects were received incorrectly.

Prepared by: Mohammad Muariff S. Balang, CPA, Second Semester, AY 2012-2013 Page | 7
 iii. Diagnostic routines – hardware or software supplied by the manufacturer to check the
internal operations and devices within the computer system. These routines are often
activated when the system is booted up.
iv. Boundary protection – most CPUs have multiple jobs running simultaneously. To ensure
that these simultaneous jobs cannot destroy or change the allocated memory of another
job, the system contains boundary protection controls.
v. Periodic maintenance – the system should be examined periodically by a qualified
service technician to help prevent unexpected hardware failures.
Auditor’s test of control – should test whether the controls are functioning as intended. In addition, audit
software can be used to analyze the data collected by the diagnostic routines and detect significant trends.
d. Access controls – the computer system should have adequate security controls to protect equipment, files
and programs.
 Access to program documentation should be limited to those persons who require it in the
performance of their duties.
 Access to data files and programs should be limited to those individuals authorized to process
data.
 Access to computer hardware should be limited to authorized individuals such as computer
operators and their supervisors.
 Access to the EDP environment is affected both physically and electronically.
i. Physical access controls – limited physical access (i.e. guard, automated key cards,
manual key locks as well as new access through fingerprints or palm prints) and use of ID
badge and visitor entry logs.
ii. Electronic access controls – access control software/user identification (i.e. identification
code and passwords), call back and encryption boards.
Auditor’s test of control – include attempting to violate the system, either physically or electronically, or
reviewing any unauthorized access that has been recorded. The tests should also ensure that all security
violations are followed up on to ensure they are errors.
e. Data and procedural controls – a written manual of systems and procedures should be prepared for all
computer operations and should provide for management’s general or specific authorization to process
transactions. An independent party should review and evaluate proposed systems at critical stages of
development and review and test computer processing activities.
 A control group should receive all data to be processed, ensure that all data are recorded, follow
up errors during processing and determine that transactions are corrected and resubmitted by the
proper user personnel and verify the proper distribution of output.
 To prevent unnecessary stoppages or errors in processing, the following specific controls should
be implemented:
i. Operations run manual – specifies in details, the “the how to’s” for each application to
enable the computer operator to respond to any errors that may occur.
ii. Backup and recovery – to ensure preservation of historical records and the ability to
recover from an unexpected error, files created within EDP are backed up in a systematic
manner (i.e. “snapshot” in a database system, grand-father-son method, off-site storage of
critical files)
iii. Contingency processing – detailed contingency processing plans should be developed to
prepare for natural disasters, man-made disasters or general hardware failures that disable
the data center (i.e. very hot sites, hot sites and cold sites)
iv. File protection ring – used to ensure that an operator does not use a magnetic tape as a
tape to write on when it actually has critical information on it.
v. Internal and external labels – allows the computer operator to determine whether the
correct file has been selected for processing.
Auditor’s test of control – normally include identification, observation and inquiry. While some of the data
and procedural controls are easy to implement, other controls such as contingency processing are more
difficult and costly to implement. The auditor should determine that these controls are either present or that
management has accepted the related risks and that all exceptions are scrutinized.

INTERNAL CONTROL IN A CIS ENVIRONMENT – APPLICATION CONTROLS

CIS APPLICATION CONTROLS – relate to a specific application instead of multiple applications and are
implemented to establish specific control procedures over the application systems in order to provide reasonable
assurance that all transactions are authorized, recorded and are processed completely, accurately and on a timely
basis. CIS application controls include:
a. Controls over input – designed to provide assurance that:
 Transactions are properly authorized before being processed by the computer.
 Transactions are accurately converted into machine readable form and recorded in the computer
data files.
 Transactions are not lost, added, duplicated or improperly changed.
 Incorrect transactions are rejected, corrected and if necessary, resubmitted on a timely basis.

Prepared by: Mohammad Muariff S. Balang, CPA, Second Semester, AY 2012-2013 Page | 8
 Input controls attempt to ensure the validity, accuracy and completeness of data entered into a CIS. Input
controls may be subdivided into:
 Data observation and recording, includes:
i. The use of pre-numbered and pre-printed documents.
ii. Keeping blank forms under lock and key.
iii. Online computer systems offer menu screens, preformatted screens, use of scanners that
read bar codes and use of feedback mechanisms to approve a transaction.
iv. Self-checking digit – mathematically calculated digit which is usually added to a
document number to detect common transpositional errors in data submitted for
processing.
 Data transcription (batching and converting), includes:
i. Carefully structured source documents and input screens.
ii. Control totals – computed based on the data submitted for processing. They are further
categorized into financial/amount control/ batch/proof total, hash total and record count.
iii. Key verification requiring data to be entered twice.
iv. Visual verification
 Edit tests of transaction data, includes:
i. Validity check – a check which allows only valid transactions or data to be entered into
the system (i.e. M – male; F – female).
ii. Reasonableness and limit check – these tests determine whether amounts entered are too
high, too low or unreasonable (i.e. hours work should not exceed 40 hours a week and
increase in salary is reasonable compared to salary base).
iii. Field check – a check that makes certain that only numbers, alphabetical characters,
special characters and proper negative and positive signs are accepted into a specific data
field where they are required (i.e. numbers do not appear in fields reserved for words).
iv. Sequence check – a check that requires successive input data are in some prescribed order
to avoid missing out an input.
v. Field size check – requires an error message to result if an exact number of characters are
to be inputted and is not met.
vi. Logic check – ensures that illogical combinations of inputs are not accepted into the
computer.
vii. Range check – particular fields fall within specified ranges.
 Transmission of transaction data, includes:
i. Echo check – transmitting data back to the originating terminal for comparison with the
transmitted data.
ii. Redundancy data check – transmitting additional data to aid in the verification process.
iii. Completeness check – verifying that all required data have been entered and transmitted.
b. Controls over processing and computer data files – designed to provide a reasonable assurance that:
 Transactions, including system generated transactions, are properly processed by the computer.
 Transactions are not lost, added, duplicated or improperly changed.
 Processing errors are identified and corrected on a timely basis.
Processing controls help assure that data are processed accurately and completely and that no unauthorized
transactions are included, that proper files and programs are included and that all transactions can be easily
traced. Processing controls include:
 Manual cross checks – include checking the work of another employee, reconciliations and
acknowledgments.
 Processing logic checks – many of the programmed edit checks used in the input stage may also
be employed during processing.
 Run-to-run totals – batched data should be controlled during processing runs so that no records
are omitted or incorrectly inserted into a transaction filed.
 File and program changes – to ensure that transactions are posted to the proper account, master
files should be checked for correctness and programs should be validated.
 Audit trail linkages – a clear audit trail is needed to enable individual transactions to be traced, to
provide support in general ledger balances, to prepare financial reports and to correct transaction
errors or lost data.
c. Controls over output – designed to provide reasonable assurance that:
 Results of processing are accurate.
 Access to output is restricted to authorized personnel.
 Output is provided to appropriate authorized personnel on a timely basis.
The following controls are frequently used to maintain the integrity of processing:
 Control total – are compared with those computed prior to processing to ensure completeness of
information.
 Limiting the quantity of output and total processing time

REVIEW OF CIS CONTROLS – general CIS controls that relate to some or all applications are typically
interdependent controls in that their operation is often essential to the effectiveness of CIS application controls.
Also, the general CIS controls may have a pervasive effect on the processing of transactions in application systems.

Prepared by: Mohammad Muariff S. Balang, CPA, Second Semester, AY 2012-2013 Page | 9
If these controls are not effective, there may be a risk that misstatements might occur and go undetected in the
application system. Thus, weakness in general CIS controls may preclude testing certain CIS application controls.
Accordingly, it may be more efficient to review the design of the general controls first before reviewing the
applications controls. CIS application controls which the auditor may wish to test include:
a. Manual controls exercised by the user.
b. Controls over system output.
c. Programmed controls procedures.

ELECTRONIC DATA INTERCHANGE

Electronic data interchange (EDI) is the electronic exchange of transactions from one entity’s computer to another
entity’s computer through an electronic communications network. In electronic fund transfers, for example,
electronic transactions replace checks as a means of payment. EDI controls include:
a. Authentication – controls must exist over the origin, proper submission and proper delivery of EDI
communications to ensure that the EDI messages are accurately sent and received to and from authorized
customers and suppliers.
b. Encryption – involves conversion of plain text data to cipher text data to make EDI messages unreadable
to unauthorized persons.
c. Value added network (VAN) controls – a VAN is a computer service organization that provides network,
storage and forwarding (mailbox) services for EDI messages.

AUDIT APPROACHES AND CAATs

A CIS audit may be done in two major approaches and some add a third approach as follows:
a. Auditing around the computer – the auditor ignores or bypasses the computer processing function of an
entity’s EDP system. This approach focuses on examining source documents or input and checking the
final output based on those documents. This method can only be used if all of the following conditions are
met:
 The source documents must be available in a form readable by a human.
 The documents must be maintained in a manner that makes it possible to locate them for auditing
purposes.
 The output must be listed in sufficient detail to enable the auditor to trace individual transactions
from the source documents to the output and vice versa.
b. Auditing through the computer – the auditor enters the client’s system and examines directly the
computer and its system and application software. The focus of this approach is on the effectiveness of
computer controls.
c. Auditing with the computer – the computer is used as an audit tool.

COMPUTER ASSISTED AUDIT TOOLS/TECHNIQUES (CAATs) are computer programs and data the
auditor uses as part of the audit procedures to process data of audit significance contained in an entity’s information
systems. The data may be transaction data on which the auditor wishes to perform tests of controls or substantive
procedures or they may be other types of data.
CAATs may be used in performing various auditing procedures, including the following:
a. Tests of details of transactions and balances.
b. Analytical procedures.
c. Tests of general controls.
d. Sampling programs to extract data for audit testing.
e. Tests of application controls.
f. Reperforming calculations performed by the entity’s accounting systems.

CAATs FOR TEST OF CONTROLS

PROGRAM ANALYSIS – techniques that allow the auditor to gain an understanding of the client’s program.
a. Code review – involves actual analysis of the logic of the program’s processing routines.
b. Code comparison – programs that allow the auditor to compare computerized files.
c. Flowcharting software – used to produce a flowchart of a program’s logic and may be used both in
mainframe and microcomputers.
d. Program tracing and mapping – program tracing is a technique in which instruction executed is listed
along with control information affecting that instruction. Program mapping identifies sections of code which
may be a potential source of abuse.
e. Snapshot – this technique takes a picture of the status of program execution, intermediate results or
transaction data at specified processing points in the program.

PROGRAM TESTING – involves the use of auditor-controlled actual or simulated data.

a. Historical audit techniques – test the audit computer controls at a point in time.
 Test data – a set of dummy transactions specifically designed to test the control activities that
management claims to have incorporated into the processing programs. Test data shifts control
over processing to the auditor by using the client’s software to process auditor prepared test data
that includes both valid and invalid conditions. If embedded controls are functioning properly, the

Prepared by: Mohammad Muariff S. Balang, CPA, Second Semester, AY 2012-2013 Page | 10
 client’s software should detect all the exceptions planted in the auditor’s test data. This technique
would be ineffective if the client does not use the software tested.

Figure 2 – Test Data

 Base case system evaluation (BCSE) – develops test data that purports to test every possible
condition that an auditor expects a client’s software will confront. BCSE provides an auditor with
much more assurance than test data alone but it is expensive to develop and therefore cost-
effective only in large computer systems.
 Integrated test facility - a variation of test data whereby simulated data and actual data are run
simultaneously with the client’s program and computer results are compared with auditor’s
predetermined results. The technique provides assurance that the software tested is actually used
to prepare financial reports.

Figure 3 – Integrated Test Facility

 Parallel simulation – it involves processing of client’s live (actual) data utilizing an auditor’s
generalized audit software. If an entity’s controls have been operating effectively, the client’s
software should generate the same exceptions as the same as the auditor’s software. This
technique should be performed on a surprise basis if possible.

Figure 4 – Parallel Simulation

 Control reprocessing – a variation of parallel simulation which involves processing of actual

client data through a copy of the client’s application program.
b. Continuous audit techniques – test the audit computer controls throughout the period.
 Audit modules – programmed audit routines incorporated into application programs that are
designed to perform an audit function such as a calculation or logging activity.

Prepared by: Mohammad Muariff S. Balang, CPA, Second Semester, AY 2012-2013 Page | 11
  System control audit review files (SCARFs) – logs that collect transaction information for
subsequent review and analysis by the auditor.
 Audit hooks – “exits” in an entity’s computer program that allows an auditor to insert commands
for audit processing.
 Transaction tagging – a transaction record is “tagged” and then traced through critical points in
the information system.
 Extended records – this technique attaches additional audit data which would not otherwise be
saved to regular historic records and thereby helps to provide a more complete audit trail.

REVIEW OF OPERATING SYSTEM AND OTHER SYSTEMS SOFTWARE

a. Job accounting data/operating system logs – these logs that track particular functions, include reports of
the resources used by the computer system. The auditor may be able to use them to review the work
processed, to determine whether unauthorized applications were processed and to determine that authorized
applications were processed properly.
b. Library management software – this logs changes in programs, program modules, job control language
and other processing activities.
c. Access control and security software – this restricts access to computers to authorized personnel through
techniques such as only allowing certain users with “read-only” access or through use of encryption.

OTHER CAATs
Other techniques which an auditor can use in the audit under a CIS environment include:
a. Audit software – computer programs used to process data of audit significance from the client’s
accounting system.
 Package programs (also known as generalized audit software) – programs that can be used in
numerous clients. They can be designed to perform different audit tasks such as:
 Purpose-written programs (also known as special-purpose or custom-designed programs) –
computer programs designed for specific audit tasks.
 Utility programs – part of the systems software that performs routine CIS tasks. They are
generally not designed for audit purposes.
b. Electronic spreadsheets – contain a variety of pre-defined mathematical operations and functions that can
be applied to data entered into the cells of a spreadsheet.
c. Automated work paper software – designed to generate a trial balance, lead schedules and other reports
useful for the audit. The schedules and reports can be created once the auditor has either manually entered
or electronically imported through using the client’s account balance information into the system.
d. Text retrieval software – allow the user to view any text that is available in an electronic format. The
software program allows the user to browse through text files much as a user would browse through books.
e. Database management systems – manage the creation, maintenance and processing of information. The
data are organized in the form of predefined records and the database software is used to select, update,
sort, display or print the records.
f. Public databases – may be used to obtain accounting information related to particular companies and
industries.
g. Word processing software

USING AND CONTROLLING CAATs

Several factors are to be considered if CAATs should be used in the audit including:
a. Degree of technical competence in CIS.
b. Availability of CAATs and appropriate computer facilities.
c. Impracticability of manual tests.
d. Effectiveness and efficiency of CAATs.
e. Timing of test
Procedures to control the use of audit software may include:
a. Participating in the design and testing of computer programs.
b. Checking the coding of the program.
c. Requesting the client’s CIS personnel to review the operating system instructions.
d. Running the audit software on small test files before running them on main data files.
e. Ensuring that the correct files were used.
f. Obtaining evidence that the audit software functioned as planned.
g. Establishing appropriate security measures to safeguard against manipulation of the entity’s data files.
Procedure to control the use of test data may include:
a. Controlling the sequence of submission of test data where it spans several processing cycles.
b. Performing test runs.
c. Predicting the results of test data.
d. Confirming that the current version of the program was used.
e. Obtaining reasonable assurance that the programs used to process the test data were used by the entity
throughout the applicable audit period.

Prepared by: Mohammad Muariff S. Balang, CPA, Second Semester, AY 2012-2013 Page | 12
USING CAATs IN SMALL BUSINESS COMPUTER ENVIRONMENTS
The general principles outlined are applicable in small business computer environments. However, the following
points should be given special consideration in these environments:
a. The level of general CIS controls may be such that the auditor will place less reliance on the system of
internal control resulting in:
 Greater emphasis on tests of details of transactions and balances and analytical review procedures,
which may increase the effectiveness of certain CAATs, particularly audit software.
 The application of audit procedures to ensure the proper functioning of the CAATs and validity of
the entity’s data.
b. In cases where smaller volumes of data are processed, manual methods may be more cost-effective.
c. Adequate technical assistance may not be available to the auditor from the entity, thus, making the use of
CAATs impracticable.
d. Certain audit package programs may not operate on small computers, thus, restricting the auditor’s choice
of CAATs. However, the entity’s data files may be copied and processed on another suitable computer.

REFERENCES
Assurance Principles, Professional Ethics and Good Governance, Maria Elenita Balatbat Cabrera, 2009, Manila.
“Auditing in a CIS Environment”, Audit Theory Review Materials, CPA Review School of the Philippines,
October 2011, Manila.
“Auditing in a CIS Environment”, Auditing Theory Lecture Notes, Professional Review and Training Center,
October 2011, Manila.
Auditing Theory: A Guide in Understanding the AASC Pronouncements, Jekell G. Salosagcol, Michael F. Tiu and
Roel Hermosilla, 2011, Manila.
CPA Examination Reviewer in Auditing Theory, Gerardo S. Roque, 2010-2011 edition, Manila.
Reviewer in Management Advisory Services, Rodelio S. Roque, 2010, Manila.

Prepared by: Mohammad Muariff S. Balang, CPA, Second Semester, AY 2012-2013 Page | 13