CHAPTER 10: | AUDITING IN A CIS ENVIRONMENT . nt exists when a cor acs environme! 1 computer of any type or size is pie processing by the entity of financial information of significance to 4 vee the computer is operated by the entity or by a third party SE ed ARN ; all objective and:scope of an audit does not @ peo change in a CIS 4 vironment cis environment may affect: L @ The procedures followed in obtaining a sufficient understanding of the accounting and internal control systems. = ~The consideration of the inherent and control risk. 4 The design and performance of tests of controls and substantive procedures. 3, Theauditor should have sufficient knowledge of the CIS to plan, direct, and review the work performed. : 4, If specialized skills are needed, the auditor would seek the assistance of a professional possessing such skills, who may be either on the auditor's staff or an outside professional. 5. In planning the portions of the audit which may be affected by the dient’s CIS environment, the auditor should obtain an understanding of the significance and complexity of the CIS activities and the availability of data for use in the audit. : & When the CIS are significant, the auditor should also obtain 2” understanding of the CIS environment and whether it may influence the assessment of inherent and control risks. 7. ‘The auditor should ronment in designing audit consider the CIS environmet u brocedures te reduce aut isk to an acceptably low level. The austee an use either manual audit procedures, computer assist eer niques, or a combination of both to obtain sufficient 395ss AND CONSIDERATION cs gs cuarcTER ST Spon structure cues ics 0f8 C8 cons and Kno ethods wit Sect 2 of fu Oe aoying Wil inca ‘though MOS we generally the number Of Persons inva, anual oretrenclfrmatn is significantly reduoay “ing. rocessi and data . tration of Pastel file data are often concer con ansaction Transa either in one computer instajay, Say, ble form, ° ke lation machine-readal lations distributed throughout a” Ma Cental or in several insta ‘een, = : . that provide result in the-design of systems les The use See =aha manual procedures. In addition, these systems mt oe bya larger number of persons. v of input documents | oe Date may be entered directly into the computer 9ysen| without supporting document. | + In some online transaction systems, written evidence | individual data entry authorization (e.g., approval for ode entry) may be replaced by other procedures, such a authorization controls contained in computer programs (eg, credit limit approval). Y Lack of visible audit trail The transaction tral may be party in machine-readable fom and may exist only for a limited period (e.g aud logs be set to overwrite themselves after a period or when te allocated disk Space is consumed), | | Lack of visible output | a transactions or results of processing may rot ¥ Sr only summary data May be printed. “Fase of access to lata and coy | Data ang mputer programs | 2 the compte Programs may be assessed and ate locations, Ther," Using computer equipment at re tents nthe seme of Speite ©2sed potential for unauthorized access 396¥ Chater 10: Auditing in a CIS E, Giteration of, data and programs by persons inside or outside ‘of CIS will generally result in design and Pee different from those found in manual systems, sign and proced ncy of performance . cis perform functions exactly as programmed and are potentially more reliable than annual systems, provided that all transaction types and conditions that could occur are anticipated and incorporated into the system. On the other hand, a computer program that is not correctly programmed and tested may consistently process transactions or other data erroneously. ¥. Programmed control procedures i" The nature of computer processing allows the design of internal control procedures in computer programs. ¥ Single transaction update of multiple or data base computer files “A single input in the accounting system may automatically update all records associated with the transaction. ¥ Systems generated transactions Certain transactions may be initiated by the CIS itself without the need for an input document. ¥ Vulnerability of data and program storage media Large volumes of data and the computer programs used to process such data may be stored on portable or fixed storage media, such as magnetic disks and tapes. These media ac vulnerable to. theft, loss, or intentional or accident '| destruction. fCONTROLS ~ to establish a framework of overall control Over te eee ad to provide a reasonable level of assurance that the vend objectives of internal control are achieved : ¥ Organization and management controls — designed to define the strategic direction and establish an organizational framework over CIS activities, induding: Strategic information technology plan % CS policies and procedures & Segregation of incompatible functions Monitoring of CIS activities performed by third pat . consultants. Dertepment and maintenance controls - designed to pre i assurance that systems. are developed oF They tet and maintained in an authorad aro effet nS Ys NPlcaly are designed to estabisn contol over baa Tolect initiation, requirements definition, systems 05% 2, data_conversion, go-live decision, ig ction environment, documentation of new oF Systems, and user training, * fetiston ang Implementation of off-the-shelf packove 39g ee, |. Chapter 10: Auditing in a CIS Environment pequest for changes ta the existing systems, uisition, implementation, and maintenance of system ¢ eee: : ad support controls ~ designed to control the delivery of CIS a : Ney nd include: d peices 2neplshment of service level agreements against which CIS # Cemvices are measured, performance and capacity management controls. 4 bisaster recovery/contingency planning, training, and file backup- Computer operations controls. Systems security. Physical and environment controls, itoring controls ~ designed to ensure that CIS controls are working ak as planned. These include: ¢ Monitoring of key CIS performance indicators. 4 Internal external CIS audits, ° (sAPPLICATION CONTROLS — to establish specific control procedures over ‘eapiation systems to provide reasonable assurance that all transactions are xiied, recorded, and are processed completely, accurately and on a timely iss. - tte: ‘Sapplication controls include: ¥ Controls over Input — designed to provide reasonable assurance that: * Transactions are properly authorized before being processed by the computer. Transactions are accurately converted into machine readable form and recorded in the computer data files. * Transactions are not lost, added, duplicated, or improperly changed, * Incorrect transactions are rejected, corrected and, if Necessary, resubmitted on a timely basis. v rentals Over processing and computer data files - designed to provide pre assurance that: Transactions, ding system generated transactions, re *nropety processed by the compute | 399Transactions are not changed. lost, added, dup % Processing errors » (i.e, Tejecteg transactions) are identified ang cones ang on ; 3tin ¥ Controls over output ~ designed to Provide Teasona wh Results of processing are accurate, ble Suan | Meh Access to output is Festricted to auth. timely basis, horney General CIS controls that relate to some OF all appii interdependent controls in that. their Operation is oJ i of CIS application controls, Accordingly, it may be review the design of the general controls before Teviewing the appt nant Review of CIS application controls CIS application controls Which the auditor. May wish to test ‘include: a. Manual controls exercised by the user, b. Controls over system output. C. Programmed control Procedures, cis ENVIRONMENTS — ‘STAND-ALONE PERSONAL COMPUTERS 1 on fal computer (PC) can be used in-various Configurations. Thse include; . vA stand-alone workstation Operated by a single user Several users at different times, “” Aworkstation which part of a Local Area Network (ANd PCs, Y Aworkstation Connected to a server In a stand-alone pc environment, it may not be practi ee ‘or management to implement sufficient controls to Tisks of undetected Stror toa minimum level. on 3. After obtaining the und. ir ten et ‘erstanding of the accounting environment, the auditor may find it more cost-effective wa review of general Controls or application controls but audit efforts on Substantive Procedures, 400Chapter to; sents ~ ON-LINE COMPUTER oe * OVS Entrsanent t ne compute rams direct) systems that:¢ : oes ‘data and prog ly through terminal dea users to r systems are com; 7 ms allow users to direct) crrling L 95 ook B Entering transactions Y init various functions such as: Making inquiries : Requesting reports Updating master files Electronic commerce Activities RSA88 of terminals used in on-line systems: General purpose terminals ¥ Basic keyboard and screen ¥ Intelligent terminal Y¥ PCs Special purpose terminals . ¥ _ Point-of-sale devices ¥ Automated teller machines (ATM) 1. Types of on-line computer systems: C,: On-line/ real time Processing Individual transactions are entered at terminal devices, ; validated, and used to update related s immediately. ‘ itera! . On-line/batch processing Individual. transactions are entered at a terminal device, subjected to ‘certain validation checks, and added to a transaction file that contains other transactions entered during the period. Later, during a subsequent processing cycle, the transaction file may be validated further and then used to update relevant master file, On-line/Memo update (and subsequent Processing) ¥ Combines in-line/ real time and on-line/ batch processing. % ¥ Individual transactions immediately update a memo file containing information that Hi been extracted from the most recent verso of the master file. Inquiries are made this memo file. hese a toa nsactions are added a thet ‘subsequent validation and ea the master file on a batch basis.enuve Revco 0 Hedi - Asean Pacts inguity d, onl v Restricts users at terminal de, inguires of master fle, “ces % y Master files are upday usually on a batch basis,” ther “th loading/ uploading Processing Ontne down ¥ Omline downloading refers tthe data from a master fie to ane terminal device for further pr ela ba e user. [RONMENT : ea otk environment is a communication system that ” computer users to share computer equipment, application Sofa and voice and video transmissions. , 2. Afile server is a computer with an operating system that allons Mi, users in a network to access software applications and data files, 3. Basic types of networks- . a. Local area network (LAN) b. Wide area network (WAN) metropolitan area network (MAN) CIS ENVIRONMENTS — DATABASE SYSTEMS 1, Database —a collection of data that is shared and used by many difeer, users for different purposes. 2. Two components of database systems: @ Database b. Database mana gement system (DBMS) - software tit Creates, maintai ins, and operates the database 5. Characteristics of database systems: 2. Data sharing b. Data independence TERMS USED IN crs ENVY RONMENTS 1. COMPUTER HARDW, ee ARE guia ® electronic caibre IRE ~ consists of the configu CONSoLe - yn eo Space crt (Cotrade Ray Tube) used for comm! and the computer. ot ‘be cerca MENT ~all non-CPU hardware that mY fat ea S80". This consists of input, stO=5" 402 . PERIPHERAL and Communication devi. Chapter 10: pudéting tna CIS Enviroument iLERS - units designed to operate (control) specific ontett devices: is - units designed to handle the transfer of data into or out : oan ry 0720 (memory). MEMORY ETE PSE storage unit used to hold yrfER Fr t/output operations. 5 Fe curing iP ald 4 or ne - peripheral equipment not in direct communication with the 1 pu. — peripheral equipment in direct communication with, and i ot cna of the CPU. ul out DEVICES - provides a means of transferring data into CPU * gage. ‘ fgesiimpatDevioes ’3, Magnetic tape reader — capable of sensing information recorded asmagnetized spots on magnetic tape. It is also used as an output device and storage medium. Magnetic ink character redder (MICR) - reads characters by scanning temporarily magnetized characters using magnetic ink. Optical character recognition (OCR) - reads characters directly from documents based on their shapes and positions on the source document. 1. Cathode ray tube (CRT) - a typewriter-like device that decodes keystrokes into electronic impulses. Key-to-tape and Key-to-disk - systems in which input data can be entered directly onto magnetic tape, magnetic disk, or floppy disk through CR’ "STORAGE DEVICES - devices which store data that can be “*bsequenty used by the CPU @. Random access - data can be accessed directly regardless of how itis physically stored (e.g., magnetic disk). b. Sequential access — data must be processed in the order in Which it is physically stored (e.g., magnetic tape). OUTPUT py EVICES ~ produce readable data or machine-readable data oon further Processing is required. Examples are CRT, printer, and CRT Puter output to Microfilm). q 403Auditing and Rescuer ia Comprchensioe besa - CRT devices or mic 12. (enimunication) with the CPU. POINT-OF-SALE DEVICES ~ a terminaj 13. h register or similar qa a tog ' of a cash register or similar levi takes the place ry. ES whi ach Me ling and can keep perpetual invento, y cTOcomputers Useg for in “hy te interfacing communicat JODEM — a device for int iong, 14. a aialen networks. eau % hich instruct th ‘Software consists of computer programs wt Ie co . to perform the desired processing. mPtter tty programs . 8 aoe SYSTEM - controls the functioning of the peripheral equipment. Several different operat ne ad ay . Configuration of hardware to function in the following Modes. # Sry, : : a, MULTIPROGRAMMING _ " \ Processes a program until an inp vate Sst, : Fequired. Since input or Output can ‘be let Peripheral devices, ‘such as channels and Controls, d GPU can begin executing another Program's ing" Several programs appear to be Concurrently prog b. MULTIPROCESSING —m ‘ sharing peripheral devices, to é ~ the Operating system ‘separates User programs into Segment pages Automatically. , appears there is Unlimited even though the Memory available for Progra, program is still confined to a physi segment of Memory, 2. UTILITY PROGRAM — ‘ suha : Performs a commonh luired process, Storing and merging, o_— " (PPLICATION PRogRas ing is = iti i decd edb (€4,, payroll Preparation), Petform: SOURCE pp, OBJECT p RAL rce lng ~ written by a Programmer in a sour (©, COBOL) that will be converted into an object program. arg " ROGRAM _ Converted source that, rogram “SING @ Complier to ‘Teate a set of machine-readable instruction: COMPILER _ Program, ot Converts a source Program to a machine langua9® 2 404 iii| ¢ MANAGEMENT Syste 1 li ) 7 ohhe purpose of creating, accessing, ang Maintaining MMUNICATIONS MONTTo) Es and file maintenance to use wes input to application programs (bos) - 4 software pa 9 a database, R PROGRAM _ 4 8, Monitors oni DATA INTERCHANGE (EDI) — 4h, toMy one entity's Computer to ancther erty One exchange of tom munications network. In electronic puter through an i fund transfer (EFT) 5 ink transactions replace checks as a means eam S, for i goomuslsinglude: . Authentication — controls must exist over the Origin, proper submission, and proper delivery of EDI communications to : e that the EDI messages are accurately sent and received to and from authorized customers and suppliers, b, Encryption — involves conversion of plain text data to cipher text data to make EDI messages unreadable to unauthorized persons. c. VAN controls — a value added network (VAN) is @ computer service organization that provides network, storage, and forwarding (mailbox) services for EDI messages. UOT APPROACHES ' 1, Auditing around the computer — the auditor ignores or bypasses the 1 Computer processing function of an entity’s EDP system. 2 Auditing with the computer — the computer is used as an audit tool. 1 3. Auditing through the computer — the auditor enters the client's system and directly examines the computer and its system and pplication software. PUTER ESTS OF CONTROLS NIQUES FOR T 1 CRASSISTED AUDIT ie that allow the auditor to gain an ul fir it rogram a ic sae SET Oe ee a or ctual analysis of the logic of the programs processing routines. oy low the a 2. Comparison programs — programs — to compare computerized files. 405,Comprehensive Reiner is Haitg sod Avsmnance Pe Flowcharting software — used to produce Im simulated data. ae ol el a Piprogram’s logic and may be used both in main ey microcomputer environments. ‘ame ag mm trading and mapping ~ program 4 Prgotfue in which instruction executed ie fisted aa iy tecl information affecting that instructi My mapoing identifies sections of code which may pe earn source of abuse. a pshot — this technique “takes a picture” of 5. sre ram execution, intermediate resuts, or ya" Sata data at specified processing points 1 the rage” processing. m — involves the use of auditor-controlleg Actual g Historical audit techniques — test the audit computer. a point in time. a. Test data : ; ¥ Asset of dummy transactions specifically designed tp the control activities that management. Claims to have incorporated into the processing programs, ¥_ Shifts control over processing to the auditor by using the client's software to process auditor-prepared test data that includes both valid and invalid conditions, ¥ It embedded controls are functioning Properly; the client’s software should detect all the exceptions planted in the auditor's test data, Ineffective if the client does not use the software tested. Test data Techniques ek m oS [| St my wat ey ate cary peptn ab bay a Tettaaees ——_ Test Rests Controls at ay 406 JF £ Chapter 10: Auditing in a O9S Environment m evaluation (BCSE) pase test data that purports to test every possible condition pO on auditor expects a client's software will confront. ides an auditor with much more assurance than test data a but expensive to develop and therefore cost-effective only e, age ‘computer systems. test facility (ITF) ‘ mien’ variation of test of data whereby simulated data and actual data are run simultaneously with the client's program and computer results are compared with auditor's predetermined ~ results. r v Itprovides assurance that the software tested is used to prepare financial reports. ! Integrated Test Facility (ITF) Techniques Manwal Input ‘Manwal Input aes Tet ‘tind TF Transaction Pron pein Tsai and “Transaction, ie ete Rests : | = va amet ate ts | ee teatr eT wih ‘eteas 407 Xmse Rs : ee simutefocessing cent’ |. . of processing client’s live (acty; ‘ buco generalized audit software, 3) data ting a ¥> If an entity's control has been operating fficiey software should generate the same exceptions as th.” Cleny, software. tis Ate ¥ It should be performed on a surprise basis, Parallel Simulation Techniques Tf possibye, Simulation i 7 | ouput Production | a 4 ‘Auditor Reconcies Potten ona & Co y “tent Pocessng Actual cient age SMe! Simulation, it involves processing Program, “8 trough a copy of the cents pio Bie. 408,Chapiter 10: Auduting ina CIS Environment i continuous audit techniques — test the audit computer "ol ni v throughout a period, ‘Audit modules ~ programmed audit routines incorporated into an application program that are designed to perform an audit function such as a calculation, or logging activity. ms control audit review files (SCARFs) - | a log that collect transaction information for subs nt revit analysis by the auditor, ere ‘Audit hooks - “exists” in an entity's computer program that. allows an auditor to insert commands for audit processing. Transaction tagging — a transaction record is tagged and then traced through critical control points in the information system. Extended records — this technique attaches: additional audit data which would not otherwise be saved to regular historic records and thereby helps to provide a more complete audit trail. of operati g system and other system software Job Accounting Data - these logs that track functions, include reports of the resources use by the computer system. The auditor may be able to use them to review the: work processed, to determine whether unauthorized applications were processed and to determine that authorized applications were processed properly. Library Management Software — this logs changes in programs, program modules, job control language, and other processing activities. Access Control and Security Software — this restricts access to computers to authorized personnel. through techniques such as only:allowing certain users with “read- only” access or through use of an encryption. Sonifcance from the client's accounting system Package programs (generalized audit software) vvvvy & 5 trols systel mm Revi i A ‘Audit Software — computer programs used to process data of audit Reading computer files Selecting samples Performing calculations Creating data files Printing reports in an auditor-specified format 409Comprchensce Revisor a Auditing ad | Assurance Principles v v v Purpose written programs (special Purpose , programs). Utility programs — they are generally not design, for : ‘Udit Electronic spreadsheets — contain a Vatity Ma ematical: operations and functions that can entered the cals ofa spreadsheet be =e T Cu tomated work paper software — designeg to Selah, lead schedules, and other reports Useful forget ay schedules and reports can be created once the audine Ut, manually entered or electronically imported through ie has te account balance information into the system, 9 the cen Text retrieval software — allow user to view an 'y text that ig ay. in an electronic format. The software progre’n allow aie the user browse through text files much as a user Would browse ya" bocks. tro Database management systems Public databases Word processing software Factors to consider in using CAAT < v v v v Degree of technical ‘competence in CIS, Availabilty of CAAT and appropy Impracticability of manual tests, Effectiveness and efficiency, Timing of tests, riate computer facilities, Controlling the CAAT application es to control the use of Audit ‘Software may include: ee Participating in the de Running the audit main data files, lesign and testing of computer programs. Checking the Coding of the Program. sing syst Requesting the cl fiew the operat instruction, lent’s CIS personnel to review ng ten Software on small test files before running Ensuring that the Correct files were used, ini ned Obtaining evidence that the audit software functioned as Pla! 410vate Cage 10: Auditing in a os Enccronment approp _ meas i al ti Mra oithvadutatees ures to safeguard against. marie : trol the use of TEST DATA may include: to. con oe W include: Piling the sequence of submission of test data where it spans several ’ on essing CYCIeS- performing test runs. / , peaeting the results of test data, ‘ / cnfiing that the current version of the program was used. d Sah ble assurance that the obtaining reasona Programs used to process the / data were used by the entity throughout the applicable audit period. test