AUDITING IN COMPUTERISED INFORMATION SYSTEM (CIS)

ENVIRONMENT

Page 2

Upon completion of this chapter, students should be able to:

6.1 Understand the basic approaching to computerized information system (CIS)

6.1.1 Describe the changing information of technology and its implication for auditing.

6.1.2 Determine the level of complexity in computerized information system environments.

6.1.3 Identify the general and application control on CIS

6.1.4 Prepare the plan an audit strategic in CIS approach

6.2 Understand the concepts of Computer Assisted Audit Techniques (CAAT)

6.2.1 Define the concepts of CAAT6.2.2 Calculate the internal control system in

CAAT

Page 3

CLO 1Justify properly the

techniques employed in the various stages of the audit

process and evaluate findings

Page 4

IMPACT OF AN IT ENVIRONMENT ON AN AUDIT

•When an auditor is auditing in an information technology (IT)

environment, the auditor should consider how the IT environment

affects the audit.

•The overall objective and scope of an audit does not change in an

IT environment.

• However, the use of IT changes the processing, storage and

communication of financial information, and may effect the

accounting and internal control systems employed by the

company.

Page 5

The auditor should, therefore, consider the following impact on the audit:

1)The procedures followed by the auditor in obtaining a sufficient understanding of the accounting and internal control systems.

2)The consideration of inherent risk and control risk in arriving at the overall risk assessment.

3)The designing and performance of tests of controls and substantive procedures appropriate to meet the audit objectives.

Page 6

SKILLS AND COMPETENCE

The auditor should have sufficient knowledge of IT to plan, direct, supervise and review the work performed. The auditor should also consider whether specialized skills in IT are needed in an audit to:

1)Obtain a sufficient understanding of the accounting and internal control systems affected by the IT environment.

2)Determine the affect of the IT environment on the assessment of overall risk and of risk at the account balance and class of transactions level.

3)Design and perform appropriate tests of controls and substantive procedures in order to obtain sufficient appropriate audit evidence.

Page 7

TYPES OF CONTROLS IN AN IT ENVIRONMENT

There are TWO broad categories of information systems control procedures:

1)General Controls – relate to the overall information processing and environment and they have pervasive effect on the entity’s information systems and operations. General controls are sometimes referred to as supervisory, management, or information technology controls.

2)Application Controls – apply to the processing of specific or individual applications (for example, revenues or purchasing). Application controls help ensure that transactions occurred are authorised, and are completely and accurately recorded and processed.

Page 8

The overall objective of general and

application controls is to ensure that the IT

systems maintain the integrity of information and security of data.

Page 9

GENERAL CONTROLS

General controls include controls over the following:

• Organization• Control over systems development and maintenance• Operational control• Hardware and software controls

The objective of general control is to provide a control environment, which means an environment that ensures the accuracy and reliability of accounting data and records.

Page 10

• This mean first, the separation of IT department from the accounting

department and other user departments.

•This is also means the IT manager is responsible only on the top

management of the company who has no authority over computer

processing.

• Second, there must be proper segregation of duties within the IT

department itself.

ORGANIZATION

Page 11

ORGANIZATION

• The duties of the different personnel within the IT department, are as

follows:POSITION FUNCTIONS

IT MANAGER Manages the IT department. Everyone in the IT departments reports to him.

SYSTEM ANALYST

Monitor existing system; design new system; provides systems and test specifications and data for programmers

PROGRAMMER Develops and documents test programs and prepare flowcharts

Page 12

ORGANIZATION

POSITION FUNCTIONSCOMPUTER OPERATOR

Operates the computer hardware using computer programs.

DATA CONTROL GROUP

Serves as the point of communication with the user departments; monitors input; processing and output and reviews all errors.

LIBRARIAN Custody and physical control over computer programs, data files and all documentations. The librarian also needs to ensure :1)The correct files are provided for specific application.2)Files are properly maintained3)Backup and recovery procedures exist.

Page 13

CONTROL OVER THE SYSTEMS DEVELOPMENT AND MAINTENANCE

The second aspect of general control relates to the control over the planning, reviewing, testing and approval of any new program and any system.

Page 14

OPERATIONS CONTROL

This means control over access to computer operations and systems. This includes control over detection of errors and also control to ensure that no unauthorized data is put into the system. Operations control also include controls to ensure that only proper programs are used.

Page 15

HARDWARE AND SOFTWARE CONTROL

In general terms hardware control means the controls that are built into the computer by the manufacturer. Such controls are aimed at detecting errors caused by computer malfunction.

The aim of software control is to provide for the detection of errors in the program and to protect the systems and the files from unauthorized use. Also the control is aimed at the systematic backup and recovery of data to prevent manipulation and accidential loss.

Page 16

Examples of general controls.

1)Administrative controls: Controls over data centre and network operations and access security; i.e. procedure manuals, job scheduling, training and supervision, prevention of unauthorized amendments to data files, backup and physical protection of files and access controls such as passwords

2)System development controls System software acquisition, development and maintenance; controls over application development; use of test data to identify program code errors, good system over program writing, segregation of duties so that operators are not involved in program development, controls over program changes, controls over installation and maintenance of system software.

Page 17

APPLICATION CONTROLS

Application controls

consists of……. 1) Input controls2) Processing

controls3) Output

controls

The objective of application controls are to ensure completeness and accuracy of accounting records validity of entries made resulting from both manual and programmed processing.

Page 18

INPUT CONTROLS

The control at the input level is important and must be checked before the transactions are processed.Input control means first that the transactions sent to the IT department for processing are :a)Authorizedb)Accuratec)Completed)Timely ande)Presented only once

Second, any errors detected at the input level must be corrected and resubmitted for processing.

Page 19

This aspect of application control should ensure that the transactions are in order before they can be accepted for processing.

Page 20

PROCESSING CONTROLS

The system should provide for accurate and timely processing of the input data.

Computers are now programmed to perform the checking which includes the completeness tests, logic tests and control totals.As such the control at this level should basically incorporate the proper maintenance of the computers. Any defects or errors found must be duly corrected.

Page 21

OUTPUT CONTROLS

In addition to the input and processing controls, it is necessary to have control at the output level to ensure that the output data are valid.Outputs include reports, cheques, documents and other printed or displayed (on terminal screen) information.A number of controls should be present to minimise the unauthorised use of output.A report distribution log should contain a schedule of when reports are prepared, the names of individuals who are to receive the report, and the date of distribution.

Page 22

One way to ensure validity is by the reconciliation of the output total with the control total at the input phase.Another way is through review by a person who knows what kind of output is expected from the input.

Page 23

Examples of application controls:

Existence check e.g. that a supplier exists Character check e.g. that there are no alphabetical characters in a sales invoice number field Range check e.g. no employee’s weekly wage is more than $2,000

Thank You