Upload
shiraz-ahmad
View
183
Download
10
Embed Size (px)
DESCRIPTION
.
Citation preview
AUDITING IN COMPUTERISED INFORMATION SYSTEM (CIS)
ENVIRONMENT
Page 2
Upon completion of this chapter, students should be able to:
6.1 Understand the basic approaching to computerized information system (CIS)
6.1.1 Describe the changing information of technology and its implication for auditing.
6.1.2 Determine the level of complexity in computerized information system environments.
6.1.3 Identify the general and application control on CIS
6.1.4 Prepare the plan an audit strategic in CIS approach
6.2 Understand the concepts of Computer Assisted Audit Techniques (CAAT)
6.2.1 Define the concepts of CAAT6.2.2 Calculate the internal control system in
CAAT
Page 3
CLO 1Justify properly the
techniques employed in the various stages of the audit
process and evaluate findings
Page 4
IMPACT OF AN IT ENVIRONMENT ON AN AUDIT
•When an auditor is auditing in an information technology (IT)
environment, the auditor should consider how the IT environment
affects the audit.
•The overall objective and scope of an audit does not change in an
IT environment.
• However, the use of IT changes the processing, storage and
communication of financial information, and may effect the
accounting and internal control systems employed by the
company.
Page 5
The auditor should, therefore, consider the following impact on the audit:
1)The procedures followed by the auditor in obtaining a sufficient understanding of the accounting and internal control systems.
2)The consideration of inherent risk and control risk in arriving at the overall risk assessment.
3)The designing and performance of tests of controls and substantive procedures appropriate to meet the audit objectives.
Page 6
SKILLS AND COMPETENCE
The auditor should have sufficient knowledge of IT to plan, direct, supervise and review the work performed. The auditor should also consider whether specialized skills in IT are needed in an audit to:
1)Obtain a sufficient understanding of the accounting and internal control systems affected by the IT environment.
2)Determine the affect of the IT environment on the assessment of overall risk and of risk at the account balance and class of transactions level.
3)Design and perform appropriate tests of controls and substantive procedures in order to obtain sufficient appropriate audit evidence.
Page 7
TYPES OF CONTROLS IN AN IT ENVIRONMENT
There are TWO broad categories of information systems control procedures:
1)General Controls – relate to the overall information processing and environment and they have pervasive effect on the entity’s information systems and operations. General controls are sometimes referred to as supervisory, management, or information technology controls.
2)Application Controls – apply to the processing of specific or individual applications (for example, revenues or purchasing). Application controls help ensure that transactions occurred are authorised, and are completely and accurately recorded and processed.
Page 8
The overall objective of general and
application controls is to ensure that the IT
systems maintain the integrity of information and security of data.
Page 9
GENERAL CONTROLS
General controls include controls over the following:
• Organization• Control over systems development and maintenance• Operational control• Hardware and software controls
The objective of general control is to provide a control environment, which means an environment that ensures the accuracy and reliability of accounting data and records.
Page 10
• This mean first, the separation of IT department from the accounting
department and other user departments.
•This is also means the IT manager is responsible only on the top
management of the company who has no authority over computer
processing.
• Second, there must be proper segregation of duties within the IT
department itself.
ORGANIZATION
Page 11
ORGANIZATION
• The duties of the different personnel within the IT department, are as
follows:POSITION FUNCTIONS
IT MANAGER Manages the IT department. Everyone in the IT departments reports to him.
SYSTEM ANALYST
Monitor existing system; design new system; provides systems and test specifications and data for programmers
PROGRAMMER Develops and documents test programs and prepare flowcharts
Page 12
ORGANIZATION
POSITION FUNCTIONSCOMPUTER OPERATOR
Operates the computer hardware using computer programs.
DATA CONTROL GROUP
Serves as the point of communication with the user departments; monitors input; processing and output and reviews all errors.
LIBRARIAN Custody and physical control over computer programs, data files and all documentations. The librarian also needs to ensure :1)The correct files are provided for specific application.2)Files are properly maintained3)Backup and recovery procedures exist.
Page 13
CONTROL OVER THE SYSTEMS DEVELOPMENT AND MAINTENANCE
The second aspect of general control relates to the control over the planning, reviewing, testing and approval of any new program and any system.
Page 14
OPERATIONS CONTROL
This means control over access to computer operations and systems. This includes control over detection of errors and also control to ensure that no unauthorized data is put into the system. Operations control also include controls to ensure that only proper programs are used.
Page 15
HARDWARE AND SOFTWARE CONTROL
In general terms hardware control means the controls that are built into the computer by the manufacturer. Such controls are aimed at detecting errors caused by computer malfunction.
The aim of software control is to provide for the detection of errors in the program and to protect the systems and the files from unauthorized use. Also the control is aimed at the systematic backup and recovery of data to prevent manipulation and accidential loss.
Page 16
Examples of general controls.
1)Administrative controls: Controls over data centre and network operations and access security; i.e. procedure manuals, job scheduling, training and supervision, prevention of unauthorized amendments to data files, backup and physical protection of files and access controls such as passwords
2)System development controls System software acquisition, development and maintenance; controls over application development; use of test data to identify program code errors, good system over program writing, segregation of duties so that operators are not involved in program development, controls over program changes, controls over installation and maintenance of system software.
Page 17
APPLICATION CONTROLS
Application controls
consists of……. 1) Input controls2) Processing
controls3) Output
controls
The objective of application controls are to ensure completeness and accuracy of accounting records validity of entries made resulting from both manual and programmed processing.
Page 18
INPUT CONTROLS
The control at the input level is important and must be checked before the transactions are processed.Input control means first that the transactions sent to the IT department for processing are :a)Authorizedb)Accuratec)Completed)Timely ande)Presented only once
Second, any errors detected at the input level must be corrected and resubmitted for processing.
Page 19
This aspect of application control should ensure that the transactions are in order before they can be accepted for processing.
Page 20
PROCESSING CONTROLS
The system should provide for accurate and timely processing of the input data.
Computers are now programmed to perform the checking which includes the completeness tests, logic tests and control totals.As such the control at this level should basically incorporate the proper maintenance of the computers. Any defects or errors found must be duly corrected.
Page 21
OUTPUT CONTROLS
In addition to the input and processing controls, it is necessary to have control at the output level to ensure that the output data are valid.Outputs include reports, cheques, documents and other printed or displayed (on terminal screen) information.A number of controls should be present to minimise the unauthorised use of output.A report distribution log should contain a schedule of when reports are prepared, the names of individuals who are to receive the report, and the date of distribution.
Page 22
One way to ensure validity is by the reconciliation of the output total with the control total at the input phase.Another way is through review by a person who knows what kind of output is expected from the input.
Page 23
Examples of application controls:
Existence check e.g. that a supplier exists Character check e.g. that there are no alphabetical characters in a sales invoice number field Range check e.g. no employee’s weekly wage is more than $2,000
Thank You