Professional Documents
Culture Documents
1
LAGUNA UNIVERSITY
Vision
Mission
2
Course Code: AIS 5- Information Systems Operations and Management
Course Requirements:
*Component of Class Standing are reflected in the OBTLP
▪ Class Standing - 60%
▪ Major Exams - 40%
3
Table of Contents
4
MODULE 1
INTER-BANK CONFIRMATION PROCEDURES
PAPS 1000
Introduction
1
Learning Outcomes
At the end of this lesson, the student should be able to:
1. Explain the important part of banking business.
2. Demonstrate the Preparation and Dispatch of Requests and Receipt of Replies
3. Create bank confirmation letter.
2
controls, and materiality within the context of the financial statements. Tests of particular
activities of the bank may be structured in different ways and confirmation requests may,
therefore, be limited solely to inquiries about those activities. Requests for confirmation of
individual transactions may either form part of the test of a bank’s system of internal control
or be a means of verifying balances appearing in a bank’s financial statements at a particular
date. Therefore, confirmation requests should be designed to meet the particular purpose
for which they are required (ASPC, 2020).
The auditor should determine which of the following approaches is the most appropriate
in seeking confirmation of balances or other information from another bank:
• Listing balances and other information, and requesting confirmation of their accuracy and
completeness.
• Requesting details of balances and other information, which can then be compared with the
requesting bank’s records.
In determining which of the above approaches is the most appropriate, the auditor
should weigh the quality of audit evidence he requires in the particular circumstances against
the practicality of obtaining a reply from the confirming bank.
Difficulty may be encountered in obtaining a satisfactory response even where the
requesting bank submits information for confirmation to the confirming bank. It is important
that a response be sought for all confirmation requests. It is not usual practice to request a
response only if the information submitted is incorrect or incomplete.
3
situations, the appropriate location may be the local branch of the confirming bank (ASPC,
2020).
Whenever possible, the confirmation request should be prepared in the language of
the confirming bank or in the language normally used for business purposes. Control over
the content and dispatch of confirmation requests is the responsibility of the auditor.
However, it will be necessary for the request to be authorized by the requesting bank.
Replies should be returned directly to the auditor and to facilitate such a reply, a pre-
addressed envelope should be enclosed with the request (ASPC, 2020).
4
guarantees, comfort letters and letters of undertaking, bills, own acceptances, and
endorsements. Confirmation may be sought both of the contingent liabilities of the
requesting bank to the confirming bank and of the confirming bank to the requesting bank.
The details supplied or requested should describe the nature of the contingent liabilities
together with their currency and amount. Confirmation of asset repurchase and resale
agreements and options outstanding at the relevant date should also be sought. Such
confirmation should describe the asset covered by the agreement, the date the transaction
was contracted, its maturity date, and the terms on which it was completed (ASPC, 2020).
Another category of information, for which independent confirmation is often
requested at a date other than the transaction date, concerns forward currency, bullion,
securities and other outstanding contracts. It is well established practice for banks to confirm
transactions with other banks as they are made. However, it is the practice for audit
purposes to confirm independently a sample of transactions selected from a period of time
or to confirm all the unmatured transactions with a counterparty. The request should give
details of each contract including its number, the deal date, the maturity or value date, the
price at which the deal was transacted and the currency and amount of the contract bought
and sold, to and from, the requesting bank. Banks often hold securities and other items in
safe custody on behalf of customers. A request letter may thus ask for confirmation of such
items held by the confirming bank, at a specific date. The confirmation should include a
description of the items and the nature of any encumbrances or other rights over them
(ASPC, 2020).
5
Assessment Task
Activity I.
Essay.
Summary
Reference
Introduction
Companies in the Philippines are required to file financial statements with regulatory
agencies such as the Securities and Exchange Commission (SEC), the Bureau of Internal
Revenue (BIR) and the Bangko Sentral ng Pilipinas (BSP), among others. As a matter of
practice, the Board of Contractors (BOC) also requires the submission of audited financial
statements by contractors before they are allowed to bid in construction projects. The financial
statements are required to be audited by independent auditors and auditors’ reports are
required to accompany the financial statements. Specific deadlines are set by the regulatory
agencies for the submission of the financial statements and penalties are imposed on late
submission (Philippine Standard on Auditing and Philippine Auditing Practice Statements,
2005).
Except for the BIR and the BOC, government agencies do not accept, as part of a
company’s annual filing or as one of the requirements for bidding purposes by contractors,
tentative financial statements. The BIR, on the other hand, accepts filing of tentative annual
income tax returns (ITR) based on preliminary figures of income and expenses of a
company for the taxable year. This is allowed to accommodate filing of tentative annual
ITR, accompanied by a set of incomplete or unaudited financial statements and an
external auditor’s report, by a company whose audit is not yet completed at the time of
7
filing. In this case, the company is able to avoid the penalties imposed for late filing of
ITRs and appears to have complied with the requirement regarding audited financial
statements which, in the case of the BIR, is further discussed in paragraph 5. Since the
external auditor has not yet completed his audit, the covering auditor’s report contains a
disclaimer of opinion on those financial statements. Upon completion of the audit, an
amended ITR, accompanied by the audited final financial statements and auditor’s report,
is subsequently submitted (Philippine Standard on Auditing and Philippine Auditing
Practice Statements, 2005).
Learning Outcomes
At the end of this lesson, the student should be able to:
1. Understanding the progress of information and communication technologies (ICT) and
their role in modern World.
2. Identifying the basic hardware and software components of a computer and/or similar
electronic devices, and exploring their functioning
3. Learning and implementing the rules of ergonomics related with the use of computers
and/or similar electronic devices.
8
a stand-alone workstation operated by a single user or a number of users at different timesaccessing
the same or different programs.
- The programs and data are stored in the personal computers or in close proximity and
generally data are entered manually through the keyboard.
3. a workstation connected linked to a server and used as such systems example is online –
workstation / as part of a distributed accounting system
-A personal computer can act as an intelligent terminal because of its logic, transmission,
storage and basic computing capabilities.
✓ Although personal computers provide the user with substantial computing capabilities,
they are small enough to be transportable, are relatively inexpensive and can be placed in
operation quickly.
✓ Software for a wide range of personal computer applications can be purchased from third-
party vendors to perform (e.g., general ledger accounting, receivables accounting and
production / inventory control).
✓ The operating software, applications programs and data can be stored on and retrieved
from removable storage media, including diskettes, compact disks, tapes and removable
hard disks.
✓ A virus is a computer program (a block of executable code) that attaches itself to
legitimate program or data file and uses it as a transport mechanism to reproduce itself
without the knowledge of the user.
✓ Users with basic computer skills can learn to operate a personal computer easily since
many operating system software and applications are “user-friendly” and contain step-
by-step instruction
9
✓ Users can also develop spreadsheets or database, purchased from third-party
vendors. (User can developed other applications with the use of generic software
packages.) - Such software packages are typically used without modification of the
programs.
✓ Software programs and data can also be stored on hard disks that are not removable.
Both removable and removable storage media may be potentially erased or damaged
by computer viruses that could attacks the CIS.
✓ Generally, the CIS environment in which personal computers are used is less
structured that a centrally-controlled CIS environment.
✓ In almost all commercially available operating systems, the built-in security provided
has gradually increased over the years.
✓ In a typical personal computer-environment, the distinction between general CIS
controls and CIS application controls may not be easily ascertained.
-In such cases, the controls over the system development. In such cases, the controls
over the system development process and operations which are essential to the effective
control for a large computer environment, may not be viewed by the developer, the user
or management as being as important or cost-effective in a personal computer
environment. Since personal computers are oriented to individual end-users, the degree
of accuracy and dependability of financial information produced will depend upon the
internal controls prescribed by management and adopted by the user.
10
• Instruction on personal computer use;
• Training requirements;
➢ Using an alarm system that is activated any time the personal computer is
disconnected or moved from its location.
✓ Programs and data used on personal computer can be stored on removable storage
media or non-removable storage media. When personal computer is used by many
11
individuals, users may develop a casual attitude toward the storage of the application
for diskettes, compact disks or back-ups tapes for which they are responsible.
✓ Control over removable storage media can be established by placing responsibility for
such media under personnel whose responsibilities include duties of software
custodians or librarians. Physical control over non-removable storage media is
probably best established with locking devices.
✓ Depending on the nature of the program and data files. It is appropriate to keep current
copies of diskettes, compact disks or back-ups tapes and hard disks in a fireproof
container, either on site, off-site or both. This applies equally to operating system and
utility software and back-up copies of hard disks.
✓ When personal computers are accessible to many users, there is a risk that programs
and data may be altered without authorization.
✓ Because personal computer operating system software may not contain many control
and security features there are several internal control techniques which can be built
into the application programs to help ensure that data are processed and read as
authorized and that accidentals destruction of data is prevented.
✓ These techniques which limit access to programs and data to authorized personnel,
include:
1. Segregating data into files organized under separate file directories
3. Employing passwords
4. Using cryptography
✓ Software and data integrity controls may ensure that processes information is free of
12
errors and that software is not susceptible to unauthorized manipulation (i.e. that
authorized data are processed in the prescribed manner.)
Data back-up refers to plans made by the entity to obtain access to comparable hardware,
software and data in the event of their failures, loss or destructions.
✓ Identify important programs and data files to be copied and sored at a location away
from PC.
✓ Back-up procedure must be on a regular basis
13
Assessment Task
Activity I. Multiple Choice
Instructions: Read both the question and all four alternatives carefully before choosing your
answer. If in doubt, choose the one best answer. Your score is determined by the number of
correct answers: there is no deduction for incorrect answers. If you do not answer a question,
it will be marked as incorrect.
1. IT has several significant effects on an organization. Which of the following would not be
important from an auditing perspective?
a. Organizational changes.
b. The visibility of information.
c. The potential for material misstatement.
d. None of the above; i.e., they are all important.
2. The audit procedure which is least useful in gathering evidence on significant computer
processes is:
a. documentation.
b. observation.
c. test decks.
14
c. reveals
d. not understand
6. Predesigned formats, such as those used for audit documentation, can be created and
saved using electronic spreadsheets and word processors. These are called:
a. desktop publishing.
b. templates.
c. macros.
e. work files.
9. Auditors usually obtain information about general and application controls through:
a. interviews with IT personnel.
b. examination of systems documentation.
c. reading program change requests.
d. all of the above methods.
15
10. The auditor’s objective to determine whether the client’s computer programs can
correctly handle valid and invalid transactions as they arise is accomplished through the:
a. test data approach.
b. generalized audit software approach.
c. microcomputer-aided auditing approach.
d. generally accepted auditing standards.
11. The audit approach in which the auditor runs his or her own program on a controlled basis
to verify the client’s data recorded in a machine language is:
a. the test data approach.
b. called auditing around the computer.
c. the generalized audit software approach.
d. the microcomputer-aided auditing approach.
12. An auditor who is testing IT controls in a payroll system would most likely use test data
that contain conditions such as:
a. time tickets with invalid job numbers.
b. overtime not approved by supervisors.
c. deductions not authorized by employees.
d. payroll checks with unauthorized signatures.
14. An auditor who is testing IT controls in a payroll system would most likely use test data
that contain conditions such as:
a. time tickets with invalid job numbers.
b. overtime not approved by supervisors.
c. deductions not authorized by employees.
16
d. payroll checks with unauthorized signatures.
15. Application controls vary across the IT system. To gain an understanding of internal
control for a private company, the auditor must evaluate the application controls for
every:
a. every audit area.
b. every material audit area.
c. every audit area in which the client uses the computer.
d. every audit area where the auditor plans to reduce assessed control risk.
Activity II Essay. Apply your creative thinking and discuss the following below, include your
resources of where you got your answer then submit it as per the specified instruction of your
instructor.
Summary
The computer you are using for your studies is called a personal computer or PC.
Although you have an internet connection for use in this course, your computer can probably
also be used as a stand-alone computer. Your PC may be a desktop computer or a notebook
computer (sometimes known as a laptop computer). Usually, a desktop computer comes with
separate devices such as a monitor, a keyboard, a mouse and speakers and it runs on mains
electricity. Notebook computers are designed to be small and light in order to make them
portable, so the screen and keyboard are part of the one course. Notebook computers have
the same capabilities as a desktop computer, but can be run on an internal battery as well
as from an electrical socket.
17
Reference
Philippine Standard on Auditing and Philippine Auditing Practice Statements (3rd ed.).
(2005). Dom Dane Publishers and Made Easy Books.
18
MODULE 3
CIS ENVIRONMENT – ON-LINE COMPUTERS
SYSTEM PAPS 1002
Introduction
The existing PSA 700 (Revised), “The Independent Auditor’s Report on a Complete
Set of General-Purpose Financial Statements,” and PSA 700 (Redrafted), “Forming an
Opinion and Reporting on Financial Statements,” provide that the auditor shall evaluate
whether the financial statements (a) are prepared and presented in accordance with the
specific requirements of the applicable financial reporting framework and (b) adequately refer
to or describe the applicable financial reporting framework (Philippine Standard on Auditing
and Philippine Auditing Practice Statements, 2005).
The existing PSA700 (Revised) and PSA 700 (Redrafted) further state that when
expressing an unmodified opinion on financial statements prepared in accordance with a fair
presentation framework, the auditor’s opinion shall, unless otherwise required by law or
regulation, use the phrase: “the financial statements present fairly in all material respects, …
in accordance with [the applicable financial reporting framework]” The auditor’s opinion
identifies the financial reporting framework on which the financial statements are based to
advise users of the auditor’s report of the context in which the opinion is expressed (Philippine
Standard on Auditing and Philippine Auditing Practice Statements, 2005).
The applicable financial reporting framework is defined in PSA 200 (Revised and
Redrafted), “Overall Objectives of the Independent Auditor and the Conduct of an Audit in
accordance with Philippine Standards on Auditing,” as the financial reporting framework
adopted by management in preparing and presenting the financial statements that is
acceptable in view of the nature of the entity and the objective of the financial statements, or
that is required by law or regulation (Philippine Standard on Auditing and Philippine Auditing
Practice Statements, 2005).
Philippine entities prepare and present their financial statements in accordance with
Philippine Financial Reporting Standards (PFRS) issued by the Financial Reporting Standards
Council, the accounting standard-setting body in the Philippines. Certain entities, however,
19
have been permitted to defer the application of PFRS in part or in full or to apply a specified
set of accounting standards.
The purpose of this revised Philippine Auditing Practice Statement (PAPS) 1002Ph is
to provide guidance on the application of the existing PSA 700 (Revised) and PSA 700
(Redrafted), specifically on the description of the applicable Philippine financial reporting
framework when this is other than PFRS (Philippine Standard on Auditing and Philippine
Auditing Practice Statements, 2005).
Learning Outcomes
At the end of this lesson, the student should be able to:
1. Demonstrate the different types of Network Environment.
2. Explain the types of on-line computing systems.
3. Understand the communication components.
Computer systems that enable users to access data and programs directly through
workstations. On-line systems allow users to initiate various functions directly, such functions
include:
• Entering transactions;
• Making inquiries;
• Requesting reports..
Types of workstations
(Philippine Standard on Auditing and Philippine Auditing PracticeStatements, 2005)
a. General Purpose Terminals
• Basic Keyboard and monitor – used for entering data without any validation within the
terminal and for displaying data from the computer system on the monitor.
20
• Intelligent Terminal – used for the functions of the basic keyboard and monitor with the
additional functions of validating data within the terminal, maintaining transaction logs
and performing other local processing.
• Personal Computers – used for all of the functions of an intelligent terminal with
additional local processing and storage capabilities.
• On-line/Batch Processing
In a system with on-line in-put and batch processing, individual transactions are
entered at a workstation, subjected to certain validation checks and added to a
transactionfile that contains other transactions entered during the period.
• On-line/Inquiry
On-line inquiry restricts users at workstations to making inquiries of master files. In
such systems, the master files are updated by other systems, usually on a batch basis.
21
• On-line Downloading/ Uploading Processing
On-line downloading refers to the transfer of data from a master file to a workstation
for further processing by the user.
• Local Area Network (LAN) - It is typically a single geographical location, but could include
many users from variousfloors and/or departments within an organization.
• Wide Area Network (WAN) was created to connect two or more geographically
separated LANs. A WAN typically involves one or more long-distance providers,
such as a telephone company to provide the connections.
22
Figure 3.2 Wide Area Network
(Stunnetwork,2014)
• Metropolitan Area Network (MAN) is a type of network that multiple buildings are close
enough to create a campus, but the space between the buildings is not under the
control of the company.
23
Communication Components
(Philippine Standard on Auditing and Philippine Auditing Practice Statements, 2005).
Computer networks components comprise both physical parts as well as the software
required for installing computer networks, both at organizations and at home. The hardware
components are the server, client, peer, transmission medium, and connecting devices. The
software components are operating system and protocols.
The following figure shows a network along with its components −
Hardware Components
(Philippine Standard on Auditing and Philippine Auditing PracticeStatements, 2005).
• Servers −Servers are high-configuration computers that manage the resources of the
network. The network operating system is typically installed in the server and so they
24
give user accesses to the network resources. Servers can be of various kinds: file
servers, database servers, print servers etc.
• Clients − Clients are computers that request and receive service from the servers to
access and use the network resources.
• Peers − Peers are computers that provide as well as receive services from other
peers in a workgroup network.
• Transmission Media − Transmission media are the channels through which data is
transferred from one device to another in a network. Transmission media may be
guided media like coaxial cable, fibre optic cables etc; or maybe unguided media like
microwaves, infra-red waves etc.
• Connecting Devices − Connecting devices act as middleware between networks or
computers, by binding the network media together. Some of the common connecting
devices are:
a. Routers
b. Bridges
c. Hubs
d. Repeaters
e. Gateways
f. Switches
Software Components
(Philippine Standard on Auditing and Philippine Auditing PracticeStatements, 2005).
• Networking Operating System − Network Operating Systems is typically installed in
the server and facilitate workstations in a network to share files, database,
applications, printers etc.
• Protocol Suite − A protocol is a rule or guideline followed by each computer for data
communication. Protocol suite is a set of related protocols that are laid down for
computer networks. The two popular protocol suites are −
o a. OSI Model (Open System Interconnections)
o b. TCP / IP Model
25
Characteristics of On-line Computer Systems
(Philippine Standard on Auditing and PhilippineAuditing Practice Statements, 2005).
• When data are entered on-line they are usually subject to immediate validation checks.
• Users may have on-line access to the system that enables them to perform various
functions.
• An on-line computer system may be designed in a way that does not provide
supporting documents fir all transactions entered in to the system.
• Programmers may have on-line access to the system that enables them to develop
new programs and modify existing programs.
• Access controls
• Programming controls
• Transaction logs
26
CIS application controls
(Philippine Standard on Auditing and Philippine Auditing PracticeStatements, 2005)
• Pre-processing authorization
• Cut-off procedures
• File controls
• Balancing
• Rejected data
Effect of On-line Computer Systems on the Accounting System and Related Internal
Controls
(Philippine Standard on Auditing and Philippine Auditing Practice Statements, 2005)
• The extent to which the on-line system is being used to process accounting
applications;
• The type and significance of financial transactions being processed; and
• If on-line data entry is performed at or near the point where transactions originate
• If data entry is performed on-line by individuals who understand the nature of the
transactions involved
• If transactions are processed immediately on-line
27
Risk of fraud or error in on-line computer systems may be increased for the following reasons
(Philippine Standard on Auditing and Philippine Auditing Practice Statements, 2005)
• Workstations may provide the opportunity for unauthorized uses such as:
• The on-line computer system may not be designed to provide printed reports.
• Integrity of records and processing, due to on-line access to the system by many users
and programmers.
28
Changes in the performance of audit procedures including the use if CAATs due tomatters such
as
(Philippine Standard on Auditing and Philippine Auditing Practice Statements, 2005).
• The need for auditors with technical skills in on-line computer systems;
• The effect of the on-line computer system on the timing of audit procedures;
• The participation on the audit team of individuals with technical proficiency in on-line
computer systems and related controls.
• Preliminary determination during the risk assessment process of the impact of the
system on the audit procedures.
• Compliance testing of controls over transactions logged by the on-line system for
authorization, completeness and accuracy.
• Substantive tests of transactions and processing results rather than tests of controls,
where the former may be more cost effective or where the system is not well-designed
or controlled.
• Re-processing transactions as either a compliance or substantive procedure.
29
Assessment Task
Activity I.
Identification: Identify the answer that stated in every description given
1. used for the functions of the basic keyboard and monitor with the additional functions
of validating data within the terminal, maintaining transaction logs and performing
other local processing.
2. used to record sales transactions as they occur and to transmit them tomain computer.
3. used to initiate, validate, record, transmit and complete various bankingtransactions.
5. It is typically a single geographical location, but could include many users from
various floors and/or departments within an organization.
6. It is a type of network that multiple buildings are close enough to create a campus, but
the space between the buildings is not under the controlof the company.
7. It is used for entering data without any validation within the terminal and for displaying
data from the computer system on the monitor.
8. It is used for all of the functions of an intelligent terminal with additional local
processing and storage capabilities.
9. It is used to record sales transactions as they occur and to transmit them to main
computer.
10. This restricts users at workstations to making inquiries of master files. In such
systems, the master files are updated by other systems, usuallyon a batch basis.
Activity II.
Essay. Apply your creative thinking and discuss the following below, include your
resources of where you got your answer then submit it as per the specified instruction
of your instructor.
1. Explain the importance of choosing switch compare to hub.
2. Search 3 examples of companies that are in LAN, WAN or MAN
Network.
30
Summary
A network is made up of physical and logical components. The physical components are the
cables and network hardware devices, such as switches. The logical components of a network are
the frames and data carried by and across the network.
Networks have two points; the source and destination, also known as the origination and
termination points (respectively).
There are three modes of transmission between origination and termination points:
simplex (one-way) mode, half-duplex mode (two-way, but not at the same time), and full- duplex
mode (two-way, at same time).
There are three major types of networks. The distinguishing characteristic of each network types
is the geographic range covered by the network:
• LANs cover a small geographic range; the area within an office building, for instance.
• MANs cover a broader geographic range than LANs; the area of a city, for instance.
• WANs cover a broad geographic range; an expanse across several states or countries,
for instance.
The design, engineering, and implementation of a network are based on the application of
network models and standards. A network model is a guiding principle in network
communications, whereas a network standard is a network communications law. A vendor's
special use of a standard is called a proprietary feature or proprietary implementation. Another
example of proprietary feature is a product a vendor implements that is not based on a standard
at all.
References
Technology, A. (2021). What’s the Difference Between A Local Area Network (LAN),
31
Metropolitan Area Network (MAN), & Wide Area Network (WAN)? https://www.apposite-
tech.com/blog/whats-difference-metropolitan-area-network-man-wide-area-network- wan/
Philippine Standard on Auditing and Philippine Auditing Practice Statements (3rd ed.). (2005).
Dom Dane Publishers and Made Easy B
32
MODULE 4
CIS ENVIRONMENT – RISK ASSESSMENTS AND
INTERNALCONTROL – CIS CHARACTERISTICS
AND CONSIDERATIONS
PAPS 1008
Introduction
2. Enumerate the design and Procedural Aspects in risk assessment and Internal
Controls.
3. Explain the purpose of CIS Application Tools.
• Concentration of programs and data – transaction and master file data are often
concentrated, usually in machine-readable form, either in one computer installation
located centrally or in a number of installations distributed throughout an entity.
Computer programs which provide the ability to obtain access to and alter such data
are likely to be stored at the same location as the data.
34
The use of computers may result in the design of systems that provide less visible evidence
than those using manual procedure. In addition, these systems may be accessible by a larger
number of persons. System characteristics that may result from the nature of CIS processing
include (Philippine Standard on Auditing and Philippine Auditing Practice Statements, 2005)
• Absence of input documents – data may be entered directly into the computer
system without supporting documents.
• Lack of visible transaction trail – certain data may be maintained on computer files
only.
• Lack of visible output – certain transactions or results of processing may not be
printed.
• Ease of access to data and computer programs – data and computer programs may be
accessed and altered at the computer through the use of computer equipment at
remote locations.
The development of CIS will generally result in design and procedural characteristics that are
different from those found in manual systems. These different design and procedural
aspects of CIS include:
• Single transaction update of multiple or data base computer files – a single input to the
accounting system may automatically update all records associated with the
transaction.
35
itself without the need for an input document.
• Vulnerability of data and program storage media – large volumes of data and the
computer programs used to process such data may be stored on portable or fixed
storage media, such as magnetic disks and tapes.
The internal controls over computer processing, which help to achieve the overall
objectives of internal control, include both manual procedures and procedures designed into
computer programs. Such manual and computer control procedures comprise the overall
controls affecting CIS environment (general CIS controls) and the specific controls over the
accounting applications (CIS application controls).
36
• Acquisition of application systems from third parties.
c. Computer operation controls – designed to control the operation of the systems andto
provide reasonable assurance that:
• The systems are used for authorized purposes only;
• Access to computer operations is restricted to authorized personnel;
personnel.
e. Data entry and program controls – designed to provide reasonable assurance that:
Controls over processing and computer data files – designed to provide reasonableassurance
that:
The auditor should consider how these general CIS controls affect the CIS applications
significant to the audit. General CIS controls that relate to some or all applications are typically
interdependent controls in that their operation is often essential to the effectiveness of CIS
application controls. Accordingly, it may be more efficient to review the design of the general
controls before reviewing the application controls.
Control over input, processing, data files and output may be carried out by CIS
personnel, by users of the system, by a separate control group, or may be programmed into
application software. CIS application controls which the auditor may wish to test include:
• Manual controls exercised by the user - if manual controls exercised by the user of the
application system are capable of providing reasonable assurance that the system’s
output is complete accurate and authorized, the auditor may decide to limit tests of
control to these manual controls.
38
• Controls over system output – if, in addition to manual controls exercised by the user,
the controls to be tested use information produced by the computer or are contained
within computer programs, it may be possible to test such controls by examining the
system’s output using either manual or computer-assisted audit techniques.
• Programmed control procedures – in the case of certain computer system, the auditor
may find that it is not possible or, in some cases, not practical to test controls by
examining only user controls or the system’s output.
39
Assessment Task
Activity I.
DIRECTION: Identify the corresponding answer for each statement.
Summary
The general CIS controls may have a pervasive effect on the processing transactions
in application systems. If these controls are not effective, there may be a risk that
misstatements might occur and go undetected in the application systems. Thus, weaknesses
in general CIS controls may preclude testing certain CIS application controls; however,
manual procedures exercised by users may provide effective control at the application level.
40
References
Philippine Standard on Auditing and Philippine Auditing Practice Statements (3rd ed.).
(2005). Dom Dane Publishers and Made Easy Books.
41