Professional Documents
Culture Documents
COMPUTER SYSTEM – refers collectively to all the interconnected hardware including the processors, storage
devices, input/output devices and communications equipment.
a. Computer hardware – the physical device that comprise a computer system. The principal hardware
component is the central processing unit (CPU) which performs the processing functions which include the
storage of information, arithmetic and logic operations and control. Additionally, the CPU controls the
input and output devices.
Main storage unit – used to temporarily store programs and data for processing.
Arithmetic and logic unit – performs the arithmetic tasks (addition, subtraction, multiplication
and division), comparisons and other types of data transformations. The data and instructions
needed for the operation are called from the computer’s main storage. After the operation, the
results are returned to the main storage unit.
Control unit – regulates the activities of the other devices by retrieving machine language
instructions from the main storage units and then interpreting instructions.
Input devices – prepare and insert data and instructions into the computer after translating them
into computer language. Examples are the keyboards and bar code reader.
Output devices – translate the processed data back into the language of written words out of the
computer to the accountant or other users. Examples are the monitor and printers.
b. Computer software – the programs, routines and procedures used to direct the functions of a computer
system.
Systems software – operates the computer system and performs routine tasks for the users. It helps
the operator use the machine and generates interaction between the computer, its peripherals, other
programs and sets of data to be used and the operator himself. The system software also translates
programming languages.
i. Operating system – a set of highly complex set of programs designed to serve as a means
of communication between the computer and hardware and human operator; schedule,
load, initiate and supervise the execution of programs; initiate and control input and
output operations; and manage and control compilers and utility programs.
ii. Utility programs – a program or group of programs designed to perform commonly
encountered data handling functions such as sorting files and copying data from one file
to another.
iii. Compilers and interpreters – compilers are programs that translate high level languages
(source code) into machine language (object code), which can be placed into the main
storage and executed. Interpreters exactly do the opposite of what compilers do.
Applications software – programs that help the operator use the computer to do specified tasks or
to solve particular processing jobs.
c. Computer installations – are the facilities where the computer hardware and personnel are located.
Computer installations are generally organized into one of the following categories:
In-house or captive computer – the organization owns or leases the equipment and hires the
necessary trained personnel to program, operate and control the various applications processed
with the equipment.
Service bureau computer– the computer is used by an independent agency which rents computer
time and provides programming, key punching and other services. The user organization pays only
for the computer time and other services it uses.
Time sharing – under this system, the organization acquires a keyboard device capable of
transmitting and receiving data and by agreement, the right to use a central computer facility. This
facility will furnish service to several users at the same time. The user company does most of its
own programming and treats the computer as though the company were the one using it. When the
company needs service, it accesses the computer facility by means of a communication line,
Prepared by: Mohammad Muariff S. Balang, CPA, Second Semester, AY 2012-2013 Page | 1
submits its user number and password, calls for its files and then begins to process the necessary
data.
Facilities management – falls somewhere between the captive computer and the service bureau
computer categories. Under this system, the organization needing computer services may lease or
purchase the necessary hardware and install it on its own premises. Then by negotiation, an
outside contractor with the necessary staff of programmers and operators agrees to manage the
facility. In some instances, the contractor may own or lease the equipment.
NETWORK ENVIRONMENT
A network environment is a communication system that enables computer users to share computer equipment,
application software, data and voice and video transmissions. A file server is a computer with an operating system
that allows multiple users in a network to access software applications and data files. Basic type of networks
includes:
a. Local area network (LAN) – an arrangement where two or more personal computers are linked together
through the use of special software and communication lines. A LAN allows the sharing of resources such
as storage facilities and printers.
b. Wide area network (WAN) – created to connect two or more geographically separated LANs. A WAN
typically involves one or more long-distance providers, such as a telephone company to provide the
connections.
c. Metropolitan area network (MAN) – a type of network that multiple buildings are close enough to create
a campus but the space between the buildings is not under the control of the company.
A network’s topology pertains to how the various elements of the network are arranged. A network can be arranged
in various forms as follows:
a. Star topology – a network of computers with a large central computer (the host). The host computer has
direct connections to smaller computers, typically a desktop or laptop PCs. All communications must go
through the host computer, except for local computing.
b. Hierarchical or tree topology – a host computer is connected to several levels of subordinate smaller
computers in a master-slave relationship.
c. Ring topology – this configuration eliminates the central site. All nodes in this configuration are of equal
status (peers). In this arrangement, the responsibility for managing communications is distributed among
the nodes. Common resources that are shared by all nodes can be centralized and managed by a file server
that is also a node.
d. Bus topology – the nodes are all connected to a common cable – the bus. Communications and file
transfers between workstations are controlled by a server. It is generally less costly to install than a ring
topology.
e. Mesh or double star topology – similar to star topology but with greater redundancy. It offers the greatest
resiliency but most expensive to implement.
f. Client-server architecture – distributes the processing between the user’s (client’s) computer and the
central file server. Both types of computers are part of the network but each is assigned functions that it
best performs. This approach reduces data communications traffic, thus reducing queues and increasing
response time.
g. Cloud computing – is an internet based computing whereby shared resources, software and information
are provided to computers and other devices on demand like the electricity grid. In general, the customers
do not own the physical infrastructure, instead avoiding capital expenditure by renting usage from a third
party provider. They consume resources as a service and pay only for resources that they use.
Some devices and peripherals are needed for a network to exist and properly function. Computer networks warrant
or may warrant the use:
a. Network interface cards (NICs) – are circuit boards used to transmit and receive commands and messages
between a PC and a LAN.
Prepared by: Mohammad Muariff S. Balang, CPA, Second Semester, AY 2012-2013 Page | 2
b. Modems – a device that modulates and demodulates signals. They are primarily used for converting digital
signals into quasi-analog signals for transmission over analog communication channels and for
reconverting the quasi-analog signals into digital signals.
c. Repeaters – offer the simplest form of interconnectivity. They merely generate or repeat data packets or
electric signals between cable segments.
d. Hubs – hubs concentrate connections. In other word, they take a group of hosts and allow the network to
see them as a single unit.
e. Bridges – a bridge is a device that connects similar or dissimilar LANs together to form an extended LAN.
It can also connect LANs and WANs. Bridges are protocol independent devices and are designed to store
and forward frames destined for another LAN.
f. Switches – workgroup switches add more intelligence to data transfer management. They can determine if
data should remain on a LAN and transfer data only to the connection that needs it. Another difference
between a bridge and switch is that a switch does not convert data transmission formats.
g. Routers – routers have both LAN and WAN interfaces. Routers are the backbone devices of large intranets
and of the internet. They select the best path and switch packets to the proper interface.
h. Gateways – used to connect LANs to host computers. Gateways act as translators between networks using
incompatible transport protocols. A gateway is used to interconnect networks that may have different
architectures.
Processing information in a network can also be done in various ways including:
a. Centralized processing – a system where processing is done at a central location using terminals that are
attached to a central computer. The computer itself may control all the peripherals or they may be attached
via terminal server.
b. Distributed data processing – a system with several computers that are connected for communication and
data transmission purposes but where each computer can also process its own data.
c. End user computing – a system in which the end user is responsible for the development and execution of
the computer application that he or she uses.
DATABASE SYSTEMS
Database systems have two components, namely:
a. Database – composed of data which are set up with defined relationships and are organized in a manner
that permits many users to use the data in different application programs.
b. Database management system (DBMS) – software that creates, maintains and operates the database. It is
a special software system that is programmed to know which data elements each user is authorized to
access. The user’s program sends requests for data to the DBMS, which validates and authorizes access to
the database in accordance with the user’s level of authority. If the user requests data that he or she is not
authorized to access, the request is denied.
Database systems are characterized by:
a. Data sharing – ability of a database to allow multiple users to access information at the same time.
b. Data independence – it refers to the immunity of user applications to make changes in the definition and
organization of data.
Database processing is dependent on an on-line/real time system.
Prepared by: Mohammad Muariff S. Balang, CPA, Second Semester, AY 2012-2013 Page | 3
Generally, internal control in a database environment requires effective controls over the database, the DBMS and
the applications. User access to the database can be restricted through the use of passwords. These restrictions apply
to individuals, terminal devices and programs.
a. Discretionary access controls – allow users to specify who can access data they own and what action
privileges they have with respect to that data.
b. Mandatory access controls – require a database administrator to assign security attributes to data that
cannot be changed by database users. In effect, the users are not permitted to see or update all data in the
database.
SYSTEMS DEVELOPMENT LIFE CYCLE (SDLC) – a systematic approach to solving business problems. The
cycle involves a logical sequence of activities used to identify new systems needs and to develop new systems to
support those needs. Each phase in the cycle has unique activities and widely varies from one organization to
another.
a. Feasibility phase – involves systems planning and system evaluation and selection
System planning – aims to link individual system projects or application to the strategic objectives
of the firm.
System evaluation and selection – an optimization process that seeks to identify the best system.
i. Perform a detailed feasibility study – should cover the technical, legal, operational and
schedule feasibility of the system.
ii. Perform a cost-benefit analysis – entail the use of capital budgeting techniques.
b. Requirement specification – involves systems analysis and conceptual systems design.
Systems analysis – involves two-step process involving first a survey of the current system and
then an analysis of the user’s needs.
Conceptual systems design – this stage’s purpose is to produce several alternative conceptual
systems that satisfy the system requirements identified during systems analysis.
c. Systems design – the goal of this phase is to produce a detailed description of the proposed system that
both satisfies the system requirements identified during systems analysis and is in accordance with the
conceptual design. In this phase, all components are meticulously specified. After completing this phase,
the development team usually performs a system design walkthrough to ensure that the design is free from
conceptual errors that could become programmed into the final system.
d. Systems development and programming – programs are written to create the software necessary to make
the information system operational. This phase includes the following activities:
System specifications review.
Program identification and description.
Program coding.
Testing the application software.
Documentation.
e. Systems conversion and implementation – database structures are created and populated with data,
equipment is purchased and installed, employees trained, the system is documented and the new system is
installed. Common approaches to systems conversion:
Parallel conversion – operates the old and new system simultaneously.
Direct conversion – involves immediate conversion to the new system throughout the
organization.
Phased conversion – the information system is implemented one module at a time by either
parallel or direct conversion.
Pilot conversion – the new system is implemented by parallel, direct or phased conversion as a
pilot system in only one of the several areas for which it is targeted.
Prototype conversion – involves developing and putting into operation successively more refined
versions of the system until sufficient information is obtained to produce a satisfactory design.
f. Post-implementation review and system maintenance – after implementing the system, a critical
examination of the system must be made so as to check on the progress of the implementation and if certain
correcting measures has to be made. Throughout the life of the system also, a continuing monitoring,
evaluation and modification of the system has to be done to ensure that objectives are achieved or new
needs or problems are addressed.
Prepared by: Mohammad Muariff S. Balang, CPA, Second Semester, AY 2012-2013 Page | 4
The participants in the systems development are:
a. Systems professionals – are the system analysts, systems engineers and programmers. These individuals
actually build the system.
b. End users – are those for whom the system is built.
c. Stakeholders – are individuals either within or outside the organization who have an interest in the system
but are not end users.
d. Accountants and auditors – are the individuals who address the controls, accounting and auditing issues
for systems development. Accountants are involved in the SDLC in three ways as users, as members of the
development team and as auditors.
The SDLC process is of interest to accountants and auditors for two reasons:
a. The creation of an information system entails significant financial transactions.
b. The quality of accounting information rests directly on the SDLC activities that produce accounting
information systems.
NATURE OF PROCESSING – the use of computers may result in the design of systems that provides less visible
evidence than those using manual procedures. In addition, these systems may be accessible by a larger number of
persons. System characteristics that may result from the nature of CIS processing include:
Prepared by: Mohammad Muariff S. Balang, CPA, Second Semester, AY 2012-2013 Page | 5
a. Absence of input documents – data may be entered directly into the computer system without supporting
document. In some on-line transaction systems, written evidence of individual data entry authorization may
be replaced by other procedures such as authorization controls contained in computer programs.
b. Lack of visible audit trail – the transaction trail may be partly in machine-readable form and may exist
only for a limited period of time.
c. Lack of visible output – certain transactions or results of processing may not be printed or only a summary
of data may be printed.
d. Ease of access to data and computer programs – data and computer programs may be accessed and
altered at the computer or through the use of computer equipment at remote locations. Therefore, in the
absence of appropriate controls, there is an increased potential for unauthorized access to, an alteration of,
data and programs by persons inside or outside the entity.
DESIGN AND PROCEDURAL ASPECTS – the development of CIS will generally result in design and
procedural characteristics that are different from those found in manual systems. These different design and
procedural aspects of CIS include:
a. Consistency of performance – CIS perform functions exactly as programmed and are potentially more
reliable than manual systems, provided that all transaction types and conditions that could occur are
anticipated and incorporated into the system. On the other hand, a computer program that is not correctly
programmed and tested may consistently process transactions or other data erroneously.
b. Programmed control procedures – the nature of computer processing allows the design of internal
control procedures in computer programs.
c. Single transaction update of multiple or data based computer files – a single input to the accounting
system may automatically update all records associated with the transaction.
d. Systems generated transactions – certain transactions may be initiated by the CIS itself without the need
for an input document.
e. Vulnerability of data and program storage media – large volumes of data and the computer programs
used to process such data may be stored on portable or fixed storage media, such as magnetic disks and
tapes. These media are vulnerable to theft, loss or intentional or accidental destruction.
Prepared by: Mohammad Muariff S. Balang, CPA, Second Semester, AY 2012-2013 Page | 6
Auditor’s test of control - should include inquiry, observation, discussion and review of an appropriate
organization chart, responsibility for initiating and authorizing transactions, discrepancies should be
reported and the appropriate controls recommended.
Prepared by: Mohammad Muariff S. Balang, CPA, Second Semester, AY 2012-2013 Page | 7
iii. Diagnostic routines – hardware or software supplied by the manufacturer to check the
internal operations and devices within the computer system. These routines are often
activated when the system is booted up.
iv. Boundary protection – most CPUs have multiple jobs running simultaneously. To ensure
that these simultaneous jobs cannot destroy or change the allocated memory of another
job, the system contains boundary protection controls.
v. Periodic maintenance – the system should be examined periodically by a qualified
service technician to help prevent unexpected hardware failures.
Auditor’s test of control – should test whether the controls are functioning as intended. In addition, audit
software can be used to analyze the data collected by the diagnostic routines and detect significant trends.
d. Access controls – the computer system should have adequate security controls to protect equipment, files
and programs.
Access to program documentation should be limited to those persons who require it in the
performance of their duties.
Access to data files and programs should be limited to those individuals authorized to process
data.
Access to computer hardware should be limited to authorized individuals such as computer
operators and their supervisors.
Access to the EDP environment is affected both physically and electronically.
i. Physical access controls – limited physical access (i.e. guard, automated key cards,
manual key locks as well as new access through fingerprints or palm prints) and use of ID
badge and visitor entry logs.
ii. Electronic access controls – access control software/user identification (i.e. identification
code and passwords), call back and encryption boards.
Auditor’s test of control – include attempting to violate the system, either physically or electronically, or
reviewing any unauthorized access that has been recorded. The tests should also ensure that all security
violations are followed up on to ensure they are errors.
e. Data and procedural controls – a written manual of systems and procedures should be prepared for all
computer operations and should provide for management’s general or specific authorization to process
transactions. An independent party should review and evaluate proposed systems at critical stages of
development and review and test computer processing activities.
A control group should receive all data to be processed, ensure that all data are recorded, follow
up errors during processing and determine that transactions are corrected and resubmitted by the
proper user personnel and verify the proper distribution of output.
To prevent unnecessary stoppages or errors in processing, the following specific controls should
be implemented:
i. Operations run manual – specifies in details, the “the how to’s” for each application to
enable the computer operator to respond to any errors that may occur.
ii. Backup and recovery – to ensure preservation of historical records and the ability to
recover from an unexpected error, files created within EDP are backed up in a systematic
manner (i.e. “snapshot” in a database system, grand-father-son method, off-site storage of
critical files)
iii. Contingency processing – detailed contingency processing plans should be developed to
prepare for natural disasters, man-made disasters or general hardware failures that disable
the data center (i.e. very hot sites, hot sites and cold sites)
iv. File protection ring – used to ensure that an operator does not use a magnetic tape as a
tape to write on when it actually has critical information on it.
v. Internal and external labels – allows the computer operator to determine whether the
correct file has been selected for processing.
Auditor’s test of control – normally include identification, observation and inquiry. While some of the data
and procedural controls are easy to implement, other controls such as contingency processing are more
difficult and costly to implement. The auditor should determine that these controls are either present or that
management has accepted the related risks and that all exceptions are scrutinized.
Prepared by: Mohammad Muariff S. Balang, CPA, Second Semester, AY 2012-2013 Page | 8
Input controls attempt to ensure the validity, accuracy and completeness of data entered into a CIS. Input
controls may be subdivided into:
Data observation and recording, includes:
i. The use of pre-numbered and pre-printed documents.
ii. Keeping blank forms under lock and key.
iii. Online computer systems offer menu screens, preformatted screens, use of scanners that
read bar codes and use of feedback mechanisms to approve a transaction.
iv. Self-checking digit – mathematically calculated digit which is usually added to a
document number to detect common transpositional errors in data submitted for
processing.
Data transcription (batching and converting), includes:
i. Carefully structured source documents and input screens.
ii. Control totals – computed based on the data submitted for processing. They are further
categorized into financial/amount control/ batch/proof total, hash total and record count.
iii. Key verification requiring data to be entered twice.
iv. Visual verification
Edit tests of transaction data, includes:
i. Validity check – a check which allows only valid transactions or data to be entered into
the system (i.e. M – male; F – female).
ii. Reasonableness and limit check – these tests determine whether amounts entered are too
high, too low or unreasonable (i.e. hours work should not exceed 40 hours a week and
increase in salary is reasonable compared to salary base).
iii. Field check – a check that makes certain that only numbers, alphabetical characters,
special characters and proper negative and positive signs are accepted into a specific data
field where they are required (i.e. numbers do not appear in fields reserved for words).
iv. Sequence check – a check that requires successive input data are in some prescribed order
to avoid missing out an input.
v. Field size check – requires an error message to result if an exact number of characters are
to be inputted and is not met.
vi. Logic check – ensures that illogical combinations of inputs are not accepted into the
computer.
vii. Range check – particular fields fall within specified ranges.
Transmission of transaction data, includes:
i. Echo check – transmitting data back to the originating terminal for comparison with the
transmitted data.
ii. Redundancy data check – transmitting additional data to aid in the verification process.
iii. Completeness check – verifying that all required data have been entered and transmitted.
b. Controls over processing and computer data files – designed to provide a reasonable assurance that:
Transactions, including system generated transactions, are properly processed by the computer.
Transactions are not lost, added, duplicated or improperly changed.
Processing errors are identified and corrected on a timely basis.
Processing controls help assure that data are processed accurately and completely and that no unauthorized
transactions are included, that proper files and programs are included and that all transactions can be easily
traced. Processing controls include:
Manual cross checks – include checking the work of another employee, reconciliations and
acknowledgments.
Processing logic checks – many of the programmed edit checks used in the input stage may also
be employed during processing.
Run-to-run totals – batched data should be controlled during processing runs so that no records
are omitted or incorrectly inserted into a transaction filed.
File and program changes – to ensure that transactions are posted to the proper account, master
files should be checked for correctness and programs should be validated.
Audit trail linkages – a clear audit trail is needed to enable individual transactions to be traced, to
provide support in general ledger balances, to prepare financial reports and to correct transaction
errors or lost data.
c. Controls over output – designed to provide reasonable assurance that:
Results of processing are accurate.
Access to output is restricted to authorized personnel.
Output is provided to appropriate authorized personnel on a timely basis.
The following controls are frequently used to maintain the integrity of processing:
Control total – are compared with those computed prior to processing to ensure completeness of
information.
Limiting the quantity of output and total processing time
REVIEW OF CIS CONTROLS – general CIS controls that relate to some or all applications are typically
interdependent controls in that their operation is often essential to the effectiveness of CIS application controls.
Also, the general CIS controls may have a pervasive effect on the processing of transactions in application systems.
Prepared by: Mohammad Muariff S. Balang, CPA, Second Semester, AY 2012-2013 Page | 9
If these controls are not effective, there may be a risk that misstatements might occur and go undetected in the
application system. Thus, weakness in general CIS controls may preclude testing certain CIS application controls.
Accordingly, it may be more efficient to review the design of the general controls first before reviewing the
applications controls. CIS application controls which the auditor may wish to test include:
a. Manual controls exercised by the user.
b. Controls over system output.
c. Programmed controls procedures.
COMPUTER ASSISTED AUDIT TOOLS/TECHNIQUES (CAATs) are computer programs and data the
auditor uses as part of the audit procedures to process data of audit significance contained in an entity’s information
systems. The data may be transaction data on which the auditor wishes to perform tests of controls or substantive
procedures or they may be other types of data.
CAATs may be used in performing various auditing procedures, including the following:
a. Tests of details of transactions and balances.
b. Analytical procedures.
c. Tests of general controls.
d. Sampling programs to extract data for audit testing.
e. Tests of application controls.
f. Reperforming calculations performed by the entity’s accounting systems.
Prepared by: Mohammad Muariff S. Balang, CPA, Second Semester, AY 2012-2013 Page | 10
client’s software should detect all the exceptions planted in the auditor’s test data. This technique
would be ineffective if the client does not use the software tested.
Base case system evaluation (BCSE) – develops test data that purports to test every possible
condition that an auditor expects a client’s software will confront. BCSE provides an auditor with
much more assurance than test data alone but it is expensive to develop and therefore cost-
effective only in large computer systems.
Integrated test facility - a variation of test data whereby simulated data and actual data are run
simultaneously with the client’s program and computer results are compared with auditor’s
predetermined results. The technique provides assurance that the software tested is actually used
to prepare financial reports.
Parallel simulation – it involves processing of client’s live (actual) data utilizing an auditor’s
generalized audit software. If an entity’s controls have been operating effectively, the client’s
software should generate the same exceptions as the same as the auditor’s software. This
technique should be performed on a surprise basis if possible.
Prepared by: Mohammad Muariff S. Balang, CPA, Second Semester, AY 2012-2013 Page | 11
System control audit review files (SCARFs) – logs that collect transaction information for
subsequent review and analysis by the auditor.
Audit hooks – “exits” in an entity’s computer program that allows an auditor to insert commands
for audit processing.
Transaction tagging – a transaction record is “tagged” and then traced through critical points in
the information system.
Extended records – this technique attaches additional audit data which would not otherwise be
saved to regular historic records and thereby helps to provide a more complete audit trail.
OTHER CAATs
Other techniques which an auditor can use in the audit under a CIS environment include:
a. Audit software – computer programs used to process data of audit significance from the client’s
accounting system.
Package programs (also known as generalized audit software) – programs that can be used in
numerous clients. They can be designed to perform different audit tasks such as:
Purpose-written programs (also known as special-purpose or custom-designed programs) –
computer programs designed for specific audit tasks.
Utility programs – part of the systems software that performs routine CIS tasks. They are
generally not designed for audit purposes.
b. Electronic spreadsheets – contain a variety of pre-defined mathematical operations and functions that can
be applied to data entered into the cells of a spreadsheet.
c. Automated work paper software – designed to generate a trial balance, lead schedules and other reports
useful for the audit. The schedules and reports can be created once the auditor has either manually entered
or electronically imported through using the client’s account balance information into the system.
d. Text retrieval software – allow the user to view any text that is available in an electronic format. The
software program allows the user to browse through text files much as a user would browse through books.
e. Database management systems – manage the creation, maintenance and processing of information. The
data are organized in the form of predefined records and the database software is used to select, update,
sort, display or print the records.
f. Public databases – may be used to obtain accounting information related to particular companies and
industries.
g. Word processing software
Prepared by: Mohammad Muariff S. Balang, CPA, Second Semester, AY 2012-2013 Page | 12
USING CAATs IN SMALL BUSINESS COMPUTER ENVIRONMENTS
The general principles outlined are applicable in small business computer environments. However, the following
points should be given special consideration in these environments:
a. The level of general CIS controls may be such that the auditor will place less reliance on the system of
internal control resulting in:
Greater emphasis on tests of details of transactions and balances and analytical review procedures,
which may increase the effectiveness of certain CAATs, particularly audit software.
The application of audit procedures to ensure the proper functioning of the CAATs and validity of
the entity’s data.
b. In cases where smaller volumes of data are processed, manual methods may be more cost-effective.
c. Adequate technical assistance may not be available to the auditor from the entity, thus, making the use of
CAATs impracticable.
d. Certain audit package programs may not operate on small computers, thus, restricting the auditor’s choice
of CAATs. However, the entity’s data files may be copied and processed on another suitable computer.
REFERENCES
Assurance Principles, Professional Ethics and Good Governance, Maria Elenita Balatbat Cabrera, 2009, Manila.
“Auditing in a CIS Environment”, Audit Theory Review Materials, CPA Review School of the Philippines,
October 2011, Manila.
“Auditing in a CIS Environment”, Auditing Theory Lecture Notes, Professional Review and Training Center,
October 2011, Manila.
Auditing Theory: A Guide in Understanding the AASC Pronouncements, Jekell G. Salosagcol, Michael F. Tiu and
Roel Hermosilla, 2011, Manila.
CPA Examination Reviewer in Auditing Theory, Gerardo S. Roque, 2010-2011 edition, Manila.
Reviewer in Management Advisory Services, Rodelio S. Roque, 2010, Manila.
Prepared by: Mohammad Muariff S. Balang, CPA, Second Semester, AY 2012-2013 Page | 13