Information Systems

Operations and Management

Ann Patricia H. Almanzor

1
 LAGUNA UNIVERSITY

Vision

Laguna University shall be a socially responsive educational institution of

choice providing holistically developed individuals in the Asia-Pacific Region.

Mission

Laguna University is committed to produce academically prepared and

technically skilled individuals who are socially and morally upright.

2
Course Code: AIS 5- Information Systems Operations and Management

Course Description: This course looks specifically at the audit of IT

services operations and maintenance. The student will benefit from learning
the techniques and skills necessary to conduct and audit of the processes of
IT operations and the ability of those systems to meet service delivery
objectives. Some of the topics that are covered by this course are: service level
agreements and third-party relationship management; change control;
testing software and systems; and disaster recovery planning

Course Intended Learning Outcomes (CILO):

At the end of this course, the students should be able to:
1. Understand the IT related risks, security and control mechanism and
techniques that may be employed to address the risks and the impact
of computer use in the auditing system.
2. Identify and understand the importance of auditing system.
3. Familiarize them with computer assisted audit techniques and tools.
4. Appreciate the particular features and understanding of the risks
involved in auditing in a CIS environment.
5. Experience in the use of computers in performing audits.

Course Requirements:
*Component of Class Standing are reflected in the OBTLP
▪ Class Standing - 60%
▪ Major Exams - 40%

Periodic Grade 100%

Final Grade = Total CS + Final Exam x 70% + 30% of the

Midterm

3
 Table of Contents

Module 1: Inter-Bank Confirmation Procedures

Introduction 1
Learning Outcomes 2
Lesson 1. The Need for Confirmation 2
Assessment Task 6
Summary 6
References 6

Module 2: CIS Environment – Stand Alone Personal

Computers PAPS 1001
Introduction 7
Learning Objectives 8
Lesson 1. PAPS 1001 8
Assessment Task 13
Summary 17
References 17

Module 3: CIS Environment – On-Line Computers System PAPS 1002

Introduction 19
Learning Outcomes 20
Lesson 1. Information Management 20
Lesson 2. Network Environment 22
Lesson 3. Internal Control in an On-line Computer System 27
Assessment Task 30
Summary 31
References 32

Module 4: CIS Environment – Risk Assessments and Internal control –

cis characteristics and considerations PAPS 1008
Introduction 33
Learning Outcomes 33
Lesson 1. Lesson 1. Organizational Structure 34
Lesson 2. Nature of Processing 35
Assessment Task 38
Summary 39
References 40

4
 MODULE 1
INTER-BANK CONFIRMATION PROCEDURES
PAPS 1000

Introduction

The purpose of this Statement is to provide assistance on inter-bank confirmation

procedures to the external independent auditor, to bank management, such as internal
auditors, and to BSP examiners. The guidance contained in this Statement should contribute
to the effectiveness of inter-bank confirmation procedures and to the efficiency of processing
replies (ASPC, 2020).
An important audit step in the examination of bank financial statements and related
information is to request direct confirmation from other banks of both balances and other
amounts which appear in the balance sheet and other information which may not be shown
on the face of the balance sheet but which may be disclosed in the notes to the accounts. Off
balance sheet items requiring confirmation include, such items as guarantees, forward
purchase and sale commitments, repurchase options, and offset arrangements. This type of
audit evidence is valuable because it comes directly from an independent source and,
therefore, provides greater assurance of reliability than that obtained solely from the bank's
own records (ASPC, 2020).
The auditor, in seeking to obtain inter-bank confirmations, may encounter difficulties
in relation to language, terminology, consistent interpretation and scope of matters covered
by the reply. Frequently, these difficulties result from the use of different kinds of confirmation
requests or misunderstandings about what they are intended to cover (ASPC, 2020).
Audit procedures may differ from country to country, and consequently local practices
will have relevance to the way in which inter-bank confirmation procedures are applied. While
this Statement does not purport to describe a comprehensive set of audit procedures,
nevertheless, it does emphasize some important steps which should be followed in the use of
a confirmation request (ASPC, 2020).

1
 Learning Outcomes
At the end of this lesson, the student should be able to:
1. Explain the important part of banking business.
2. Demonstrate the Preparation and Dispatch of Requests and Receipt of Replies
3. Create bank confirmation letter.

Lesson 1. The Need for Confirmation (ASPC, 2020)

An essential feature of management control over business relations, with individuals
or groups of financial institutions, is the ability to obtain confirmation of transactions with
those institutions and of the resulting positions. The requirement for bank confirmation arises
from the need of the bank’s management and its auditors to confirm the financial and
business relationships between the following:
• The bank and other banks within the same country.
• The bank and other banks in different countries.
• The bank and its non-bank customers.
While inter-bank relationships are similar in nature to those between the bank and a non-
bank customer, there may be special significance in some inter-bank relationships, for
example, in connection with certain types of “off balance sheet” transactions, such as
contingencies, forward transactions, commitments and offset agreements.

Use of Confirmation Requests (ASPC, 2020)

The guidance set out in the following paragraphs is designed to assist banks and their
auditors to obtain independent confirmation of financial and business relationships within
other banks. However, there may be occasions on which the approach described within
this PAPS may also be appropriate to confirmation procedures between the bank and its
non-bank customers. The procedures described are not relevant to the routine inter-bank
confirmation procedures which are carried out in respect to the day-to-day commercial
transactions conducted between banks.
The auditor should decide from which bank or banks to request confirmation, have
regard to such matters as size of balances, volume of activity, degree of reliance on internal

2
controls, and materiality within the context of the financial statements. Tests of particular
activities of the bank may be structured in different ways and confirmation requests may,
therefore, be limited solely to inquiries about those activities. Requests for confirmation of
individual transactions may either form part of the test of a bank’s system of internal control
or be a means of verifying balances appearing in a bank’s financial statements at a particular
date. Therefore, confirmation requests should be designed to meet the particular purpose
for which they are required (ASPC, 2020).

The auditor should determine which of the following approaches is the most appropriate
in seeking confirmation of balances or other information from another bank:
• Listing balances and other information, and requesting confirmation of their accuracy and
completeness.
• Requesting details of balances and other information, which can then be compared with the
requesting bank’s records.
In determining which of the above approaches is the most appropriate, the auditor
should weigh the quality of audit evidence he requires in the particular circumstances against
the practicality of obtaining a reply from the confirming bank.
Difficulty may be encountered in obtaining a satisfactory response even where the
requesting bank submits information for confirmation to the confirming bank. It is important
that a response be sought for all confirmation requests. It is not usual practice to request a
response only if the information submitted is incorrect or incomplete.

Dispatch of Requests and Receipt of Replies

The auditor should determine the appropriate location to which the confirmation
request should be sent, for example a department, such as internal audit, inspection and
other specialist department, which may be designated by the confirming bank as responsible
for replying to confirmation requests. It may be appropriate, therefore, to direct confirmation
requests to the head office of the bank (in which such departments are often located) rather
than to the location where balances and other relevant information are held. In other

3
situations, the appropriate location may be the local branch of the confirming bank (ASPC,
2020).
Whenever possible, the confirmation request should be prepared in the language of
the confirming bank or in the language normally used for business purposes. Control over
the content and dispatch of confirmation requests is the responsibility of the auditor.
However, it will be necessary for the request to be authorized by the requesting bank.
Replies should be returned directly to the auditor and to facilitate such a reply, a pre-
addressed envelope should be enclosed with the request (ASPC, 2020).

Content of Confirmation Requests

The form and content of a confirmation request letter will depend on the purpose for
which it is required, on local practices and on the requesting bank’s account procedures, for
example, whether or not it makes extensive use of electronic data processing.
The confirmation request should be prepared in a clear and concise manner to ensure
ready comprehension by the confirming bank. Not all information for which confirmation is
usually sought will be required at the same time. Accordingly, request letters may be sent
at various times during the year dealing with particular aspects of the inter-bank relationship.
The most commonly requested information is in respect of balances due to or from the
requesting bank on current, deposit, loan and other accounts. The request letter should
provide the account description, number and the type of currency for the account. It may
also be advisable to request information about nil balances on correspondent accounts, and
correspondent accounts which were closed in the twelve months prior to the chosen
confirmation date. The requesting bank may ask for confirmation not only of the balances
on accounts but also, where it may be helpful, other information, such as the maturity and
interest terms, unused facilities, lines of credit/standby facilities, any offset or other rights or
encumbrances, and details of any collateral given or received.
An important part of banking business relates to the control of those transactions
commonly designated as “off balance sheet.” Accordingly, the requesting bank and its
auditors are likely to request confirmation of contingent liabilities, such as those arising on

4
guarantees, comfort letters and letters of undertaking, bills, own acceptances, and
endorsements. Confirmation may be sought both of the contingent liabilities of the
requesting bank to the confirming bank and of the confirming bank to the requesting bank.
The details supplied or requested should describe the nature of the contingent liabilities
together with their currency and amount. Confirmation of asset repurchase and resale
agreements and options outstanding at the relevant date should also be sought. Such
confirmation should describe the asset covered by the agreement, the date the transaction
was contracted, its maturity date, and the terms on which it was completed (ASPC, 2020).
Another category of information, for which independent confirmation is often
requested at a date other than the transaction date, concerns forward currency, bullion,
securities and other outstanding contracts. It is well established practice for banks to confirm
transactions with other banks as they are made. However, it is the practice for audit
purposes to confirm independently a sample of transactions selected from a period of time
or to confirm all the unmatured transactions with a counterparty. The request should give
details of each contract including its number, the deal date, the maturity or value date, the
price at which the deal was transacted and the currency and amount of the contract bought
and sold, to and from, the requesting bank. Banks often hold securities and other items in
safe custody on behalf of customers. A request letter may thus ask for confirmation of such
items held by the confirming bank, at a specific date. The confirmation should include a
description of the items and the nature of any encumbrances or other rights over them
(ASPC, 2020).

5
 Assessment Task
Activity I.
Essay.

1. Even in small organization, should we need to have an internal audit function?

2. What should our internal audit function do?

3. What should be the mandate of the internal audit function?

4. How do you assess the effectiveness of your internal audit function?

5. Does internal audit have sufficient resources?

Summary

Confirmation requests can be designed to elicit evidence that addresses the

completeness assertion: that is, if properly designed, confirmations may provide evidence to
aid in assessing whether all transactions and accounts that should be included in the financial
statements are included. Their effectiveness in addressing the completeness assertion
depends, in part, on whether the auditor selects from an appropriate population for testing.
For example, when using confirmations to provide evidence about the completeness assertion
for accounts payable, the appropriate population might be a list of vendors rather than the
amounts recorded in the accounts payable subsidiary ledger.

Reference

ASPC. (2020). INTER-BANK CONFIRMATION PROCEDURES.

https://aasc.org.ph/downloads/PAPS/publications/PDFs/PAPS-1000.pdf
6
 MODULE 2
CIS ENVIRONMENT – STAND ALONE PERSONAL
COMPUTERS PAPS 1001

Introduction

The purpose of this Philippine Auditing Practice Statement (PAPS) is to provide

practical guidance to auditors in dealing with what is currently referred to as “tentative financial
statements.” The term “tentative financial statements” is generally used at present to refer to
a set of incomplete or unaudited financial statements accompanied by a report of an external
auditor who has not yet completed his audit of such financial statements (Philippine Standard
on Auditing and Philippine Auditing Practice Statements, 2005).

Companies in the Philippines are required to file financial statements with regulatory
agencies such as the Securities and Exchange Commission (SEC), the Bureau of Internal
Revenue (BIR) and the Bangko Sentral ng Pilipinas (BSP), among others. As a matter of
practice, the Board of Contractors (BOC) also requires the submission of audited financial
statements by contractors before they are allowed to bid in construction projects. The financial
statements are required to be audited by independent auditors and auditors’ reports are
required to accompany the financial statements. Specific deadlines are set by the regulatory
agencies for the submission of the financial statements and penalties are imposed on late
submission (Philippine Standard on Auditing and Philippine Auditing Practice Statements,
2005).

Except for the BIR and the BOC, government agencies do not accept, as part of a
company’s annual filing or as one of the requirements for bidding purposes by contractors,
tentative financial statements. The BIR, on the other hand, accepts filing of tentative annual
income tax returns (ITR) based on preliminary figures of income and expenses of a
company for the taxable year. This is allowed to accommodate filing of tentative annual
ITR, accompanied by a set of incomplete or unaudited financial statements and an
external auditor’s report, by a company whose audit is not yet completed at the time of

7
 filing. In this case, the company is able to avoid the penalties imposed for late filing of
ITRs and appears to have complied with the requirement regarding audited financial
statements which, in the case of the BIR, is further discussed in paragraph 5. Since the
external auditor has not yet completed his audit, the covering auditor’s report contains a
disclaimer of opinion on those financial statements. Upon completion of the audit, an
amended ITR, accompanied by the audited final financial statements and auditor’s report,
is subsequently submitted (Philippine Standard on Auditing and Philippine Auditing
Practice Statements, 2005).

Learning Outcomes
At the end of this lesson, the student should be able to:
1. Understanding the progress of information and communication technologies (ICT) and
their role in modern World.
2. Identifying the basic hardware and software components of a computer and/or similar
electronic devices, and exploring their functioning
3. Learning and implementing the rules of ergonomics related with the use of computers
and/or similar electronic devices.

Lesson 1. PAPS 1001

Personal Computer System

(Philippine Standard on Auditing and Philippine Auditing Practice Statements, 2005)
Personal Computer System or PCs are economical yet powerful self-contained
general purpose computers consisting typically of a central processing unit (CPU), memory,
monitor, disk drives, printer cables and modems. PC can be used to process accounting
transactions and produce reports that are essential to the preparations of financial statements.
Computer Information Systems (CIS) environments in which personal computers are used are
different from other CIS environments.

Personal Computer Configurations

(Philippine Standard on Auditing and PhilippineAuditing Practice Statements, 2005)

8
a stand-alone workstation operated by a single user or a number of users at different timesaccessing
the same or different programs.
- The programs and data are stored in the personal computers or in close proximity and
generally data are entered manually through the keyboard.

2. a workstation which is part of a local area network is an arrangement where 2 or more PC

are linked together through the use of special software and communications lines (LAN serves
as sharing of resources such as facilities and printer).

3. a workstation connected linked to a server and used as such systems example is online –
workstation / as part of a distributed accounting system
-A personal computer can act as an intelligent terminal because of its logic, transmission,
storage and basic computing capabilities.

Characteristics of Personal Computer

(Philippine Standard on Auditing andPhilippine Auditing Practice Statements, 2005)

✓ Although personal computers provide the user with substantial computing capabilities,
they are small enough to be transportable, are relatively inexpensive and can be placed in
operation quickly.
✓ Software for a wide range of personal computer applications can be purchased from third-
party vendors to perform (e.g., general ledger accounting, receivables accounting and
production / inventory control).
✓ The operating software, applications programs and data can be stored on and retrieved
from removable storage media, including diskettes, compact disks, tapes and removable
hard disks.
✓ A virus is a computer program (a block of executable code) that attaches itself to
legitimate program or data file and uses it as a transport mechanism to reproduce itself
without the knowledge of the user.
✓ Users with basic computer skills can learn to operate a personal computer easily since
many operating system software and applications are “user-friendly” and contain step-
by-step instruction

9
 ✓ Users can also develop spreadsheets or database, purchased from third-party
vendors. (User can developed other applications with the use of generic software
packages.) - Such software packages are typically used without modification of the
programs.

✓ Software programs and data can also be stored on hard disks that are not removable.
Both removable and removable storage media may be potentially erased or damaged
by computer viruses that could attacks the CIS.

Internal Control in Personal in Personal Computer Environment

(Philippine Standard onAuditing and Philippine Auditing Practice Statements, 2005)

✓ Generally, the CIS environment in which personal computers are used is less
structured that a centrally-controlled CIS environment.
✓ In almost all commercially available operating systems, the built-in security provided
has gradually increased over the years.
✓ In a typical personal computer-environment, the distinction between general CIS
controls and CIS application controls may not be easily ascertained.

-In such cases, the controls over the system development. In such cases, the controls
over the system development process and operations which are essential to the effective
control for a large computer environment, may not be viewed by the developer, the user
or management as being as important or cost-effective in a personal computer
environment. Since personal computers are oriented to individual end-users, the degree
of accuracy and dependability of financial information produced will depend upon the
internal controls prescribed by management and adopted by the user.

Management Authorization for Operating Personal Computers

(Philippine Standard on Auditing and Philippine Auditing Practice Statements, 2005)

Management can contribute to the effective operation of stand-alone personal computers

by prescribing and enforcing policies for their control and use. Management’s policy statement
may include:
• Managements responsibilities;

10
 • Instruction on personal computer use;

• Training requirements;

• Authorization for access to programs and data;

• Policies to prevent unauthorized copying of programs and data;

• Security, back-up and storage requirements;

• Applications development and documentation standards;

• Standards of report format and report distribution controls;

• Personal usage policies;

• Data integrity standards;

• Responsibility for programs, data and error corrections

• Appropriate segregation of duties

Physical security – equipment

(Philippine Standard on Auditing and Philippine AuditingPractice Statements, 2005)

✓ Because of their physical characteristics, personal computers are susceptible to theft,

physical damage, unauthorized access or misuse.
✓ One method of physical security is to restrict access to personal computers when not
in use by door locks or other security protection during non-business hours.
✓ In cases where personal computers are used to process critical stand-alone
applications, additional, physical security can be established by:
➢ Locking the personal computer in a protective cabinet or shell or;

➢ Using an alarm system that is activated any time the personal computer is
disconnected or moved from its location.

Physical Security – Removable and Non-removable media

(Philippine Standard on Auditingand Philippine Auditing Practice Statements, 2005)

✓ Programs and data used on personal computer can be stored on removable storage
media or non-removable storage media. When personal computer is used by many
11
 individuals, users may develop a casual attitude toward the storage of the application
for diskettes, compact disks or back-ups tapes for which they are responsible.

✓ Control over removable storage media can be established by placing responsibility for
such media under personnel whose responsibilities include duties of software
custodians or librarians. Physical control over non-removable storage media is
probably best established with locking devices.
✓ Depending on the nature of the program and data files. It is appropriate to keep current
copies of diskettes, compact disks or back-ups tapes and hard disks in a fireproof
container, either on site, off-site or both. This applies equally to operating system and
utility software and back-up copies of hard disks.

Program and Data Security

(Philippine Standard on Auditing and Philippine AuditingPractice Statements, 2005)

✓ When personal computers are accessible to many users, there is a risk that programs
and data may be altered without authorization.
✓ Because personal computer operating system software may not contain many control
and security features there are several internal control techniques which can be built
into the application programs to help ensure that data are processed and read as
authorized and that accidentals destruction of data is prevented.
✓ These techniques which limit access to programs and data to authorized personnel,
include:
1. Segregating data into files organized under separate file directories

2. Using hidden files and secret file names

3. Employing passwords

4. Using cryptography

5. Using anti-virus software programs

Software and Data Integrity

(Philippine Standard on Auditing and Philippine AuditingPractice Statements, 2005)

✓ Software and data integrity controls may ensure that processes information is free of

12
 errors and that software is not susceptible to unauthorized manipulation (i.e. that
authorized data are processed in the prescribed manner.)

✓ Data integrity can be strengthened by incorporating internal control procedures such

as format and range checks and cross check results.
✓ Adequate written documentation of applications that are processes on the PC can
strengthen Software and data integrity controls further.

Hardware, software and data back-up

(Philippine Standard on Auditing and PhilippineAuditing Practice Statements, 2005)

Data back-up refers to plans made by the entity to obtain access to comparable hardware,
software and data in the event of their failures, loss or destructions.
✓ Identify important programs and data files to be copied and sored at a location away
from PC.
✓ Back-up procedure must be on a regular basis

The Effect of PC on Accounting System and Related Internal Control

(Philippine Standardon Auditing and Philippine Auditing Practice Statements, 2005)

The extent to which the PC is being used to process accounting applications

✓ The type and significance of financial transactions being processed

✓ The nature of files and programs utilized in the application

➢ General CIS Controls – Segregations of Duties

➢ CIS application Controls

✓ it may not be practicable / cost-effective for management to implement sufficient

controls to reduce the risks of undetected error to a minimum level
✓ Computer-assisted audit techniques may include the use of client software (database,
electronic spreadsheet or utility software) which has been subjected to review by the
auditor’s own software programs
✓ The auditor may decide to take a different approach.

13
 Assessment Task
Activity I. Multiple Choice

Instructions: Read both the question and all four alternatives carefully before choosing your
answer. If in doubt, choose the one best answer. Your score is determined by the number of
correct answers: there is no deduction for incorrect answers. If you do not answer a question,
it will be marked as incorrect.

1. IT has several significant effects on an organization. Which of the following would not be
important from an auditing perspective?
a. Organizational changes.
b. The visibility of information.
c. The potential for material misstatement.
d. None of the above; i.e., they are all important.

2. The audit procedure which is least useful in gathering evidence on significant computer
processes is:
a. documentation.
b. observation.
c. test decks.

3. One significant risk related to an automated environment is that auditors may

information provided by an information system.
a. not place enough reliance on
b. place too much reliance on
c. reveal
d. not understand

4. One significant risk related to an automated environment is that auditors may

information provided by an information system.
a. not place enough reliance on
b. place too much reliance on

14
 c. reveals
d. not understand

5. Which of the following is not a risk to IT systems?

a. Need for IT experienced staff
b. Separation of IT duties from accounting functions
c. Improved audit trail
d. Hardware and data vulnerability

6. Predesigned formats, such as those used for audit documentation, can be created and
saved using electronic spreadsheets and word processors. These are called:
a. desktop publishing.
b. templates.
c. macros.
e. work files.

7. Which of the following statements is correct?

a. Auditors should evaluate application controls before evaluating general controls.
b. Auditors should evaluate application controls and general controls simultaneously.
c. Auditors should evaluate general controls before evaluating application controls.
d. None of these statements is correct.

8. Auditors usually evaluate the effectiveness of:

a. hardware controls before general controls.
b. sales-cycle controls before application controls.
c. general controls before applications controls.
d. applications control before the control environment.

9. Auditors usually obtain information about general and application controls through:
a. interviews with IT personnel.
b. examination of systems documentation.
c. reading program change requests.
d. all of the above methods.

15
10. The auditor’s objective to determine whether the client’s computer programs can
correctly handle valid and invalid transactions as they arise is accomplished through the:
a. test data approach.
b. generalized audit software approach.
c. microcomputer-aided auditing approach.
d. generally accepted auditing standards.

11. The audit approach in which the auditor runs his or her own program on a controlled basis
to verify the client’s data recorded in a machine language is:
a. the test data approach.
b. called auditing around the computer.
c. the generalized audit software approach.
d. the microcomputer-aided auditing approach.

12. An auditor who is testing IT controls in a payroll system would most likely use test data
that contain conditions such as:
a. time tickets with invalid job numbers.
b. overtime not approved by supervisors.
c. deductions not authorized by employees.
d. payroll checks with unauthorized signatures.

13. The most important output control is:

a. distribution control, which assures that only authorized personnel receive the
reports generated by the system.
b. review of data for reasonableness by someone who knows what the output should
look like.
c. control totals, which are used to verify that the computer’s results are correct.
d. logic tests, which verify that no mistakes were made in processing.

14. An auditor who is testing IT controls in a payroll system would most likely use test data
that contain conditions such as:
a. time tickets with invalid job numbers.
b. overtime not approved by supervisors.
c. deductions not authorized by employees.
16
 d. payroll checks with unauthorized signatures.

15. Application controls vary across the IT system. To gain an understanding of internal
control for a private company, the auditor must evaluate the application controls for
every:
a. every audit area.
b. every material audit area.
c. every audit area in which the client uses the computer.
d. every audit area where the auditor plans to reduce assessed control risk.

Activity II Essay. Apply your creative thinking and discuss the following below, include your
resources of where you got your answer then submit it as per the specified instruction of your
instructor.

1. Discuss how the integration of IT into accounting systems enhances internal

control.
2. Identify the three categories of application controls, and give one example of each.
3. Discuss the advantages and benefits of using generalized audit software.

Summary
The computer you are using for your studies is called a personal computer or PC.
Although you have an internet connection for use in this course, your computer can probably
also be used as a stand-alone computer. Your PC may be a desktop computer or a notebook
computer (sometimes known as a laptop computer). Usually, a desktop computer comes with
separate devices such as a monitor, a keyboard, a mouse and speakers and it runs on mains
electricity. Notebook computers are designed to be small and light in order to make them
portable, so the screen and keyboard are part of the one course. Notebook computers have
the same capabilities as a desktop computer, but can be run on an internal battery as well
as from an electrical socket.

17
 Reference

Philippine Standard on Auditing and Philippine Auditing Practice Statements (3rd ed.).
(2005). Dom Dane Publishers and Made Easy Books.

18
 MODULE 3
CIS ENVIRONMENT – ON-LINE COMPUTERS
SYSTEM PAPS 1002

Introduction
The existing PSA 700 (Revised), “The Independent Auditor’s Report on a Complete
Set of General-Purpose Financial Statements,” and PSA 700 (Redrafted), “Forming an
Opinion and Reporting on Financial Statements,” provide that the auditor shall evaluate
whether the financial statements (a) are prepared and presented in accordance with the
specific requirements of the applicable financial reporting framework and (b) adequately refer
to or describe the applicable financial reporting framework (Philippine Standard on Auditing
and Philippine Auditing Practice Statements, 2005).
The existing PSA700 (Revised) and PSA 700 (Redrafted) further state that when
expressing an unmodified opinion on financial statements prepared in accordance with a fair
presentation framework, the auditor’s opinion shall, unless otherwise required by law or
regulation, use the phrase: “the financial statements present fairly in all material respects, …
in accordance with [the applicable financial reporting framework]” The auditor’s opinion
identifies the financial reporting framework on which the financial statements are based to
advise users of the auditor’s report of the context in which the opinion is expressed (Philippine
Standard on Auditing and Philippine Auditing Practice Statements, 2005).
The applicable financial reporting framework is defined in PSA 200 (Revised and
Redrafted), “Overall Objectives of the Independent Auditor and the Conduct of an Audit in
accordance with Philippine Standards on Auditing,” as the financial reporting framework
adopted by management in preparing and presenting the financial statements that is
acceptable in view of the nature of the entity and the objective of the financial statements, or
that is required by law or regulation (Philippine Standard on Auditing and Philippine Auditing
Practice Statements, 2005).
Philippine entities prepare and present their financial statements in accordance with
Philippine Financial Reporting Standards (PFRS) issued by the Financial Reporting Standards
Council, the accounting standard-setting body in the Philippines. Certain entities, however,

19
have been permitted to defer the application of PFRS in part or in full or to apply a specified
set of accounting standards.
The purpose of this revised Philippine Auditing Practice Statement (PAPS) 1002Ph is
to provide guidance on the application of the existing PSA 700 (Revised) and PSA 700
(Redrafted), specifically on the description of the applicable Philippine financial reporting
framework when this is other than PFRS (Philippine Standard on Auditing and Philippine
Auditing Practice Statements, 2005).

Learning Outcomes
At the end of this lesson, the student should be able to:
1. Demonstrate the different types of Network Environment.
2. Explain the types of on-line computing systems.
3. Understand the communication components.

Lesson 1. On-line Computer Systems

(Philippine Standard onAuditing and Philippine Auditing Practice
Statements, 2005)

Computer systems that enable users to access data and programs directly through
workstations. On-line systems allow users to initiate various functions directly, such functions
include:
• Entering transactions;
• Making inquiries;
• Requesting reports..

Types of workstations
(Philippine Standard on Auditing and Philippine Auditing PracticeStatements, 2005)
a. General Purpose Terminals
• Basic Keyboard and monitor – used for entering data without any validation within the
terminal and for displaying data from the computer system on the monitor.

20
 • Intelligent Terminal – used for the functions of the basic keyboard and monitor with the
additional functions of validating data within the terminal, maintaining transaction logs
and performing other local processing.
• Personal Computers – used for all of the functions of an intelligent terminal with
additional local processing and storage capabilities.

b. Special Purpose Terminals

• Point of sale devices – used to record sales transactions as they occur and to transmit
them to main computer.
• Automated teller machines – used to initiate, validate, record, transmit and complete
various banking transactions.

Types of On-line Computer Systems

• On-line/Real time processing

In an on-line/real time processing system, individual transactions are entered at
workstations, validated and used to update related computer files immediately.

• On-line/Batch Processing
In a system with on-line in-put and batch processing, individual transactions are
entered at a workstation, subjected to certain validation checks and added to a
transactionfile that contains other transactions entered during the period.

• On-line/Memo Update (and Subsequent Processing)

On-line input with memo update processing, also known as shadow update,
combines on-line/real time processing and on-line/batch processing. Individual
transactions immediately update memo file containing information which has been
extracted from the mostrecent version of the master file.

• On-line/Inquiry
On-line inquiry restricts users at workstations to making inquiries of master files. In
such systems, the master files are updated by other systems, usually on a batch basis.

21
 • On-line Downloading/ Uploading Processing
On-line downloading refers to the transfer of data from a master file to a workstation
for further processing by the user.

Lesson 2. Network Environment

A network is a communication system that enables computer users to share computer
equipment, application software, data and voice and video transmissions.
The file server is a host machine. Hosts are computers that have an operating system
designed to allow several users to access them at the same time (Philippine Standard on
Auditing and Philippine Auditing Practice Statements, 2005).

Three Basic Types of Networks

(Philippine Standard on Auditing and Philippine AuditingPractice Statements, 2005).

• Local Area Network (LAN) - It is typically a single geographical location, but could include
many users from variousfloors and/or departments within an organization.

Figure 3.1 Local Area Network

(Techterms.com, 2021)

• Wide Area Network (WAN) was created to connect two or more geographically
separated LANs. A WAN typically involves one or more long-distance providers,
such as a telephone company to provide the connections.

22
 Figure 3.2 Wide Area Network
(Stunnetwork,2014)

• Metropolitan Area Network (MAN) is a type of network that multiple buildings are close
enough to create a campus, but the space between the buildings is not under the
control of the company.

Figure 3.3 Metropolitan Area Network (MAN)

(icograms.com,2020)

23
Communication Components
(Philippine Standard on Auditing and Philippine Auditing Practice Statements, 2005).
Computer networks components comprise both physical parts as well as the software
required for installing computer networks, both at organizations and at home. The hardware
components are the server, client, peer, transmission medium, and connecting devices. The
software components are operating system and protocols.
The following figure shows a network along with its components −

Figure 3.4 Computer Network Components

(Arushi, 2020)

Hardware Components
(Philippine Standard on Auditing and Philippine Auditing PracticeStatements, 2005).

• Servers −Servers are high-configuration computers that manage the resources of the
network. The network operating system is typically installed in the server and so they
24
 give user accesses to the network resources. Servers can be of various kinds: file
servers, database servers, print servers etc.
• Clients − Clients are computers that request and receive service from the servers to
access and use the network resources.
• Peers − Peers are computers that provide as well as receive services from other
peers in a workgroup network.
• Transmission Media − Transmission media are the channels through which data is
transferred from one device to another in a network. Transmission media may be
guided media like coaxial cable, fibre optic cables etc; or maybe unguided media like
microwaves, infra-red waves etc.
• Connecting Devices − Connecting devices act as middleware between networks or
computers, by binding the network media together. Some of the common connecting
devices are:
a. Routers
b. Bridges
c. Hubs
d. Repeaters
e. Gateways
f. Switches

Software Components
(Philippine Standard on Auditing and Philippine Auditing PracticeStatements, 2005).
• Networking Operating System − Network Operating Systems is typically installed in
the server and facilitate workstations in a network to share files, database,
applications, printers etc.
• Protocol Suite − A protocol is a rule or guideline followed by each computer for data
communication. Protocol suite is a set of related protocols that are laid down for
computer networks. The two popular protocol suites are −
o a. OSI Model (Open System Interconnections)
o b. TCP / IP Model

25
Characteristics of On-line Computer Systems
(Philippine Standard on Auditing and PhilippineAuditing Practice Statements, 2005).
• When data are entered on-line they are usually subject to immediate validation checks.
• Users may have on-line access to the system that enables them to perform various
functions.
• An on-line computer system may be designed in a way that does not provide
supporting documents fir all transactions entered in to the system.
• Programmers may have on-line access to the system that enables them to develop
new programs and modify existing programs.

Lesson 3. Internal Control in an On-line Computer System

General computer information systems (CIS) controls:

(Philippine Standard on Auditing and Philippine Auditing Practice Statements, 2005)

• Access controls

Procedures are designed to prevent or detect:

a. Unauthorized access to on-line workstations, programs and data;

b. Entry of unauthorized transactions;

c. Unauthorized changes to data files;

d. Use of operational computer programs by unauthorized personnel; and

e. Use of computer programs that have not been authorized.

• Controls over users and passwords

• System development and maintenance controls

• Programming controls

• Transaction logs

• Use of anti-virus software program

26
CIS application controls
(Philippine Standard on Auditing and Philippine Auditing PracticeStatements, 2005)
• Pre-processing authorization

• Edit, reasonableness and other validation tests

• Cut-off procedures

• File controls

• Master file controls

• Balancing

• Rejected data

Effect of On-line Computer Systems on the Accounting System and Related Internal
Controls
(Philippine Standard on Auditing and Philippine Auditing Practice Statements, 2005)

• The extent to which the on-line system is being used to process accounting
applications;
• The type and significance of financial transactions being processed; and

• The nature if files and programs utilized in the applications.

Risk of fraud or error in on-line systems may be reduced in the following

circumstances
(Philippine Standard on Auditing and Philippine Auditing Practice Statements, 2005)

• If on-line data entry is performed at or near the point where transactions originate

• If invalid transactions are corrected and re-entered immediately

• If data entry is performed on-line by individuals who understand the nature of the
transactions involved
• If transactions are processed immediately on-line

27
Risk of fraud or error in on-line computer systems may be increased for the following reasons
(Philippine Standard on Auditing and Philippine Auditing Practice Statements, 2005)

• If workstations are located throughout the entity

• Workstations may provide the opportunity for unauthorized uses such as:

a. Modification of previously entered transactions or balances;

b. Modification of computer programs; and

c. Access to data and programs from remote locations.

• If on-line processing is interrupted for any reasons

• On-line access to data and programs through telecommunications may provide

greater opportunity for access to data and programs by unauthorized persons.

Characteristics may have the following consequences

(Philippine Standard on Auditingand Philippine Auditing Practice Statements, 2005).

• There may not be source documents for every input transaction.

• Results of processing may be highly summarized

• The on-line computer system may not be designed to provide printed reports.

Effect of On-line Computer Systems on Audit Procedures

(Philippine Standard on Auditingand Philippine Auditing Practice Statements, 2005).

• Authorization, completeness and accuracy of on-line transactions.

• Integrity of records and processing, due to on-line access to the system by many users
and programmers.

28
Changes in the performance of audit procedures including the use if CAATs due tomatters such
as
(Philippine Standard on Auditing and Philippine Auditing Practice Statements, 2005).

• The need for auditors with technical skills in on-line computer systems;

• The effect of the on-line computer system on the timing of audit procedures;

• The lack of visible transaction trails;

• Procedures carried out during the audit planning stage.

Procedures carried out during the planning stage may include

(Philippine Standard onAuditing and Philippine Auditing Practice Statements, 2005)

• The participation on the audit team of individuals with technical proficiency in on-line
computer systems and related controls.
• Preliminary determination during the risk assessment process of the impact of the
system on the audit procedures.

Procedures performed after processing has taken place may include

(PhilippineStandard on Auditing and Philippine Auditing Practice Statements, 2005)
:

• Compliance testing of controls over transactions logged by the on-line system for
authorization, completeness and accuracy.
• Substantive tests of transactions and processing results rather than tests of controls,
where the former may be more cost effective or where the system is not well-designed
or controlled.
• Re-processing transactions as either a compliance or substantive procedure.

29
 Assessment Task
Activity I.
Identification: Identify the answer that stated in every description given
1. used for the functions of the basic keyboard and monitor with the additional functions
of validating data within the terminal, maintaining transaction logs and performing
other local processing.
2. used to record sales transactions as they occur and to transmit them tomain computer.
3. used to initiate, validate, record, transmit and complete various bankingtransactions.

4. also known as shadow update.

5. It is typically a single geographical location, but could include many users from
various floors and/or departments within an organization.
6. It is a type of network that multiple buildings are close enough to create a campus, but
the space between the buildings is not under the controlof the company.
7. It is used for entering data without any validation within the terminal and for displaying
data from the computer system on the monitor.
8. It is used for all of the functions of an intelligent terminal with additional local
processing and storage capabilities.
9. It is used to record sales transactions as they occur and to transmit them to main
computer.
10. This restricts users at workstations to making inquiries of master files. In such
systems, the master files are updated by other systems, usuallyon a batch basis.

Activity II.
Essay. Apply your creative thinking and discuss the following below, include your
resources of where you got your answer then submit it as per the specified instruction
of your instructor.
1. Explain the importance of choosing switch compare to hub.
2. Search 3 examples of companies that are in LAN, WAN or MAN
Network.

30
 Summary

A network is a system, or collection of systems, that facilitates the exchange of resources

from one point to another. This is a fancy way of saying that a network is the sum of the parts
connecting two or more points. Examples of networks include the subway, the highway system,
the telephone system, and the Internet.

A network is made up of physical and logical components. The physical components are the
cables and network hardware devices, such as switches. The logical components of a network are
the frames and data carried by and across the network.

Networks have two points; the source and destination, also known as the origination and
termination points (respectively).

There are three modes of transmission between origination and termination points:
simplex (one-way) mode, half-duplex mode (two-way, but not at the same time), and full- duplex
mode (two-way, at same time).
There are three major types of networks. The distinguishing characteristic of each network types
is the geographic range covered by the network:

• LANs cover a small geographic range; the area within an office building, for instance.
• MANs cover a broader geographic range than LANs; the area of a city, for instance.
• WANs cover a broad geographic range; an expanse across several states or countries,
for instance.
The design, engineering, and implementation of a network are based on the application of
network models and standards. A network model is a guiding principle in network
communications, whereas a network standard is a network communications law. A vendor's
special use of a standard is called a proprietary feature or proprietary implementation. Another
example of proprietary feature is a product a vendor implements that is not based on a standard
at all.

References

Technology, A. (2021). What’s the Difference Between A Local Area Network (LAN),

31
Metropolitan Area Network (MAN), & Wide Area Network (WAN)? https://www.apposite-
tech.com/blog/whats-difference-metropolitan-area-network-man-wide-area-network- wan/

ICOGRAM. (2020). Network Diagram. https://icograms.com/usage-network-diagram.php

Arushi. (2018). Computer Network Components. Tutorialspoint.Com.

https://www.tutorialspoint.com/Computer-Network-Components#:~:text=Computer networks
components comprise both,are operating system and protocols

Philippine Standard on Auditing and Philippine Auditing Practice Statements (3rd ed.). (2005).
Dom Dane Publishers and Made Easy B

32
 MODULE 4
CIS ENVIRONMENT – RISK ASSESSMENTS AND
INTERNALCONTROL – CIS CHARACTERISTICS
AND CONSIDERATIONS
PAPS 1008

Introduction

A computer information system environment is defined in International Standard on

Auditing (ISA) 401, “Auditing in a Computer Information Systems Environment,” as follows:
“For purposes of International Standards on Auditing, a CIS environment exists when
a computer of any type or size is involved in the processing by the entity of financial
information of significance to the audit, whether that computer is operated by the entity or by
a third party.” (Philippine Standard on Auditing and Philippine Auditing Practice Statements,
2005).
The introduction of all desired CIS controls may not be practicable when the size of
the business is small or when microcomputers are used irrespective of the size of the
business. Also, where data is processed by the third party, the consideration of the CIS
environment characteristics may vary depending on the degree of access to third party
processing. A series of International Auditing Practice Statements has been developed to
supplement the following paragraphs. This series describes various CIS environments and
their effect on the accounting and internal control system and on auditing procedures
(Philippine Standard on Auditing and Philippine Auditing Practice Statements, 2005) .
32
 Learning Outcomes

At the end of this lesson, the student should be able to:

1. Identify the Internal Controls in a CIS Environment

2. Enumerate the design and Procedural Aspects in risk assessment and Internal
Controls.
3. Explain the purpose of CIS Application Tools.

Lesson 1. Organizational Structure

(Philippine Standard on Auditing and Philippine Auditing Practice
Statements, 2005)

Characteristics of Organizational Structure

(Philippine Standard on Auditing and Philippine Auditing Practice Statements, 2005).

In a CIS environment, an entity will establish an organizational structure and procedures to

manage the CIS activities. Characteristics of a CIS organizational structure include:

• Concentration of functions and knowledge – although most systems employing CIS

methods will include certain manual operations, generally the number of persons
involved in the processing of financial information is significantly reduced.

• Concentration of programs and data – transaction and master file data are often
concentrated, usually in machine-readable form, either in one computer installation
located centrally or in a number of installations distributed throughout an entity.
Computer programs which provide the ability to obtain access to and alter such data
are likely to be stored at the same location as the data.

Lesson 2. Nature of Processing

(Philippine Standard on Auditing and Philippine Auditing Practice
Statements, 2005)

34
The use of computers may result in the design of systems that provide less visible evidence
than those using manual procedure. In addition, these systems may be accessible by a larger
number of persons. System characteristics that may result from the nature of CIS processing
include (Philippine Standard on Auditing and Philippine Auditing Practice Statements, 2005)
• Absence of input documents – data may be entered directly into the computer
system without supporting documents.
• Lack of visible transaction trail – certain data may be maintained on computer files
only.
• Lack of visible output – certain transactions or results of processing may not be
printed.
• Ease of access to data and computer programs – data and computer programs may be
accessed and altered at the computer through the use of computer equipment at
remote locations.

Design and Procedural Aspects

(Philippine Standard on Auditing and Philippine AuditingPractice Statements, 2005)

The development of CIS will generally result in design and procedural characteristics that are
different from those found in manual systems. These different design and procedural
aspects of CIS include:

• Consistency of performance – CIS perform functions exactly as programmed and are

potentially more reliable than manual systems, provided that all transaction types and
conditions that could occur are anticipated and incorporated into the system.

• Programmed control procedures – the nature of computer processing allows the

design of internal control procedures in computer programs. These procedures can be
designed to provide controls with limited visibility.

• Single transaction update of multiple or data base computer files – a single input to the
accounting system may automatically update all records associated with the
transaction.

• Systems generated transactions – certain transactions may be initiated by the CIS

35
 itself without the need for an input document.

• Vulnerability of data and program storage media – large volumes of data and the
computer programs used to process such data may be stored on portable or fixed
storage media, such as magnetic disks and tapes.

Internal Control in a CIS Environment

(Philippine Standard on Auditing and PhilippineAuditing Practice Statements, 2005)

The internal controls over computer processing, which help to achieve the overall
objectives of internal control, include both manual procedures and procedures designed into
computer programs. Such manual and computer control procedures comprise the overall
controls affecting CIS environment (general CIS controls) and the specific controls over the
accounting applications (CIS application controls).

General CIS Controls

(Philippine Standard on Auditing and Philippine Auditing Practice Statements, 2005).
The purpose of general CIS controls is to establish a framework of overall control over
the CIS activities and to provide a reasonable level of assurance that the overall objectives of
internal control are achieved. General controls may include:

a. Organization and management controls – designed to establish an organizational

framework over CIS activities including:
• Policies and procedures relating to control functions; and
• Appropriate segregation of incompatible

b. Application systems development and maintenance controls – designed to provide

reasonable assurance that systems are developed and maintained in an authorized and
efficient manner.
• Testing, conversion, implementation and documentation of new or revised
systems;
• Changes to application systems;
• Access to systems documentation; and

36
 • Acquisition of application systems from third parties.

c. Computer operation controls – designed to control the operation of the systems andto
provide reasonable assurance that:
• The systems are used for authorized purposes only;
• Access to computer operations is restricted to authorized personnel;

• Only authorized programs are used; and

• Processing errors are detected and corrected.

d. Systems software controls – designed to provide reasonable assurance that system

software is acquired or developed in an authorized and efficient manner

• Authorization, approval, testing, implementation and documentation of new

systems software and systems software modifications; and

• Restriction of access to systems software and documentation to authorized

personnel.

e. Data entry and program controls – designed to provide reasonable assurance that:

• An authorization structure is established over transactions being entered into

the system; and

• Access the data and programs is restricted to authorized personnel.

CIS Application Controls

(Philippine Standard on Auditing and Philippine Auditing PracticeStatements, 2005)

Controls over input – designed to provide reasonable assurance that:

• Transactions are properly authorized before being processed by the computer;
• Transactions are accurately converted into machine readable form and recorded in
the computer data files;
• Transactions are not lost, added, duplicated or improperly changed; and
37
 • Incorrect transactions are rejected, corrected and, if necessary, resubmitted on a
timely basis.

Controls over processing and computer data files – designed to provide reasonableassurance

that:

• Transactions, including systems generated transactions, are properly processed by

the computer;
• Transactions are not lost, added, duplicated or improperly changed; and
• Processing errors are identified and corrected on a timely basis.

Controls over output – designed to provide reasonable assurance that:

• Results of processing are accurate;
• Access to output is restricted to authorized personnel; and
• Output is provided to appropriate authorized personnel on a timely basis.

Review of General CIS Controls

(Philippine Standard on Auditing and Philippine Auditing Practice Statements, 2005).

The auditor should consider how these general CIS controls affect the CIS applications
significant to the audit. General CIS controls that relate to some or all applications are typically
interdependent controls in that their operation is often essential to the effectiveness of CIS
application controls. Accordingly, it may be more efficient to review the design of the general
controls before reviewing the application controls.

Control over input, processing, data files and output may be carried out by CIS
personnel, by users of the system, by a separate control group, or may be programmed into
application software. CIS application controls which the auditor may wish to test include:

• Manual controls exercised by the user - if manual controls exercised by the user of the
application system are capable of providing reasonable assurance that the system’s
output is complete accurate and authorized, the auditor may decide to limit tests of
control to these manual controls.
38
• Controls over system output – if, in addition to manual controls exercised by the user,
the controls to be tested use information produced by the computer or are contained
within computer programs, it may be possible to test such controls by examining the
system’s output using either manual or computer-assisted audit techniques.

• Programmed control procedures – in the case of certain computer system, the auditor
may find that it is not possible or, in some cases, not practical to test controls by
examining only user controls or the system’s output.

39
 Assessment Task

Activity I.
DIRECTION: Identify the corresponding answer for each statement.

1. Transaction and master file data are often concentrated

2. Data may be entered directly into the computer systemwithout supporting
documents.
3. Certain data may be maintained on computer files only.
4. Certain transactions or results of processing may not beprinted.
5. CIS performs functions exactly as programmed and is potentially more reliable than
manual systems
6. This may automatically update all records associated with thetransaction.
7. Certain transactions may be initiated by the CIS itself withoutthe need for an input
document.
8. Large volumes of data and the computer programs used to process such data may
be stored on portable or fixed storagemedia
9. Transactions are properly authorized before being processedby the computer.
10. Results of processing are accurate;

Summary
The general CIS controls may have a pervasive effect on the processing transactions
in application systems. If these controls are not effective, there may be a risk that
misstatements might occur and go undetected in the application systems. Thus, weaknesses
in general CIS controls may preclude testing certain CIS application controls; however,
manual procedures exercised by users may provide effective control at the application level.

40
 References
Philippine Standard on Auditing and Philippine Auditing Practice Statements (3rd ed.).
(2005). Dom Dane Publishers and Made Easy Books.

- END OF MODULE FOR PRELIM PERIOD –

END OF THE PRELIM MODULE CHECK YOUR EXAM SCHEDULE
DO NOT FORGET TO TAKE THE EXAM AS SCHEDULED

41