AT: Auditing in an IT Environment > Asystem to collect, store and process financial and accounting data. > Used to report information to intended users (investors, creditors, etc.) > CIS exists when a computer of any type or size is involved in the processing by the entity of financial information of significance to the audit, whether the computer is operated by the entity or by a third party. Lack of visible transaction trails Consistency of performance vvvY Concentration of duties ‘Systems generated transactions Vulnerability of data and program store media (data Ease of access to data and computer programs loss) Pores ———F President ————— VP Marketing ve Finance | |VP IT Services| vp. Administration IVP Operations| > Concentration of functions: ‘and knowledge — the number of persons involved in the processing of financial information is significantly reduced. > Concentration of programs and data — transaction and master file data are often concentrated, usually in a machine readable form. Systems as Data PeNawger”| [Administrator] | Preceasund New systems| Data Development conversion 3 c Maintenance Gperations Data LibraryEro ene nea People ‘System users from different departments who feed data into the accounting system. Procedures | Methods used to collect, store, retrieve and process data. Documented and followed consistently. and Instructions Data All financial information pertinent to the organization's business practices. Tangible items of as AIS and should be properly maintained, serviced, replaced, and upgraded as need arises. > CPUs > Output > Input > Data Storage Types of Computers Extremely powerful, high-speed computers used for extremely high volume Supercomputers | andior complex processing needs Mainframe Large, powerful, high-speed computers that is less powerful than Computers. supercomputers High-powered microcomputers that “serve” applications and data to oients Servers that are connected via network and acts as a central repository for organizational data Hardware Components Principal hardware component > Arithmetic/Logic Unit — performs mathematical operation and logical ‘comparisons > Primary Memory (Storage) — active data and program steps that are being processed by the CPU are stored > Control Unit - interprets program instructions and coordinates input, output and storage services. ‘Secondary Storage Devices Central Processing Unit (CPU) Magnetic Tape Slowest type of storage available, which is used for archiving purposes today. MagneticDisks | > Most common type of medium which is usually known as "hard disks" or “Hard Disk Drives (HDD)" Redundant Array of | > Stores the same data redundantly on multiple magnetic disks Hardware (IT Infrastructure) Independent Disks (RAID) Compact Disks Use optical technology to read and write data to the disks Solid State Drives | > Use microchips to store data and require no moving parts for read/write (ssp) operations Cloud-based > Hosted offsite, typically by third parties, and is accessed via the internet, Storage Software | Computer programs used to store, retrieve, process and analyze the company's financial data, Diecut e Real Time Transactions are processed immediately, and master file is updated immediately. Errors in this Processing _| kind of processing are detected as soon as the data Is entered, Batch individual transactions are entered at a terminal device, which is later processed together. Processing _| Errors in this kind of processing are detected in a later part. Memo Update _| Mixture of batch and real-time processing where individual transactions update a memo file Which is subsequently updated to the master file by batch.ene Database Collection of data that is shared and used by many different users for different purposes. Database ‘Software that creates, maintains, and Characteristics: Management | operates the database > Data sharing ‘System > Data independence > Non-tedundancy or storing information > Information is easily retrieved Internal Controls Security measures to protect sensitive data. Internal Control in a CIS Environment ¥ Authorization of Transactions ¥_ Proper Segregation of Duties ¥_ Independent Checking General Controls Application Controls > Relates to IPO (Input —» Process —> Output), from Capture of data into reporting > Controls over input > Controls over processing > Controls over output > Relates to the overall computer information system > Organizational Controls > Documentation Controls > Asset Accountability Controls, > Management Practice Controls > Information Center Operations Controls > Authorization and Access Controls, etre ieee Segregation of duties between CIS and User Department + Input (Various) ~» Process (CIS) ~+ Output (Management) > Segregation of duties within the CIS Environment + Systems analysts, programmer, operator, librarian, and control group. Peek) > Policies, procedures and diagrams to ensure that programs are functioning as designed. reeks (ii omiieraccu > SL~ GL reconciliation > HR Policies > Logs and registers > Internal Audit Function > Acknowledgement Procedures > Planning and Monitoring Activities cece > Diagnostic programs, disaster recovery plans, and hardware controls etn Disaster PlanningThos > Security controls to protect equipment, files and programs. > Access to computer should be limited only to operators and authorized employees ec Key verification > Data is entered twice Field Check © Data is agree w/ required format Validity Check Data is compared from information in master file (e.g., employee ID) Self-checking digit > Mathematically calculated digit to detect common transpositional errors Limit Check > Data does not exceed a certain length or amount es > Ensure completeness of data + Financial Total, Hash Total, and Record Count eee koe! > Input data are processed accurately, and data are not lost, added, excluded, duplicated or altered. > Usually incorporated in the computer prograrn. Erte Results of processing are accurate » Access to output is restricted only to authorized personnel > Output is provided on a timely basis ortho nes ‘Auditing around the computer (nae en Examination of input and output documentation (less complex) Computer Assisted Audit Techniques (CAATS) Used to audit the client's computer program directly (more complex) (White Box Approach) eas Peo J eer) Cen orric iyIntegrated Test Facility (ITF) eric =a Etro oo EE eed re Genortees ernest) J eee ter} toric) J a— rors on Be ory Cea