AUDIT IN A CIS

ENVIRONMENT
MODULE

Prepared by:
CARL JOSEPH C. FUERZAS, CPA
Instructor
Dear Student,
Panagdait sa Tanang Kabuhatan!
The success of this module lies in
your hands. This was prepared for you TEACHER’S
to learn diligently, intelligently, and PHOTO
independently. This will be a great
opportunity for you as a would be
teacher to equip yourself not only with
academic content but as well as some
invaluable skills which you will be very
proud of as a responsible learner
 STUDY SCHEDULE AND HOUSE RULES

Course Title: AUDIT IN CIS ENVIRONMENT

Course Description: Information Technology throughout the world has revolutionized and
dramatically changed the manner in which the business is conducted today. Computerization has a
significant effect on organization control, flow of document information processing and so on.
Auditing in a CIS environment even though has not changed the fundamental nature of auditing, it
has definitely caused substantial changes in the method of evidence collection and evaluation. This
also requires auditors to become knowledge about computer environment (Hardware, software
etc.) and keep pace with rapidly changing technology, even to the extent of using sophisticated
Audit software.

STUDY SCHEDULE

MODULE 1: Curriculum: An Overview

At the end of the module you will be able to:
1. To understand the concept of Computer Information Systems
2. To identify Computer Information Systems
3. To know the types of events occurring in a Computer Information Systems
4. To understand the recognition of adjusting and nonadjusting events
5. To understand the nature and usefulness of the Computer Information Systems
6. To identify the components of Computer Information Systems
WEEK TOPIC Date Time
08/10/2020 8:30 – 10:00 am
Week 1 Lesson 1 - OVERVIEW OF IT AUDIT
08/27/2020 8:30 – 10:00 am
Lesson 2 - LEGAL AND ETHICAL ISSUES 09/03/2020 8:30 – 10:00 am
Week 2
FOR IT 09/03/2020 8:30 – 10:00 am
Lesson 3 – AUDITING IT GOVERNANCE 09/07/2020 8:30 – 10:00 am
Week 3
CONTROLS 09/10/2020 8:30 – 10:00 am
Lesson 4 – AUDITING IT GOVERNANCE 09/14/2020 8:30 – 10:00 am
Week 4
CONTROLS PART 2 09/17/2020 8:30 – 10:00 am
PRELIM EXAMINATION
 The following guides and house rules will help you to be on track and complete the
module with a smile on your face.
1. Read and understand every part of the module. If there are some contents or tasks
which you find difficult to understand, try to re-read and focus. You may also ask help
from your family at home, if it doesn’t work, you may send a private message on my
Facebook account (Carl Fuerzas) or you may text me on this cellphone number
09381715396.
2. Each module begins with an overview and a list of the topics you are expected to
learn.
3. Before reading the module and working on the activities, answer the pretest first. Find
out how well you did by checking your answers against the correct answers in the
answer key.
4. At the end of each lesson try to reflect and assess if you were able to achieve the
learning objectives. Remember that you can always read again if necessary.
5. Learn to manage your time properly. Study how you can manage to work on this
module in consideration of your other modules.
6. Have patience and do not procrastinate.
7. Practice the virtue of honesty in doing all your tasks.
8. Lastly, the activities in the module must be done by you and not by others. Your family
and friends may support and guide you but you must not let them do the work. DO
YOUR BEST AND GOD WILL DO THE REST.

CARL JOSEPH C. FUERZAS, CPA

Instructor
 MODULE 1
OVERVIEW OF IT
AUDIT
 MODULE CONTENTS

I. Introduction: What is this Module About?

II. Pretest
III. Lesson 1 - Related Parties
IV. Lesson 2 - Events after the reporting period
V. References
Curriculum: An Overview

What is this Module about?

This course (LBYMODT or Auditing in a Computer Information

Systems [CIS] Environment) complements the course in Auditing,
but limited to the areas that have an immediate consequence to
information technology (IT) as used in business. It discusses the
impact of information technology on the auditor’s study and
evaluation of internal controls with emphasis on the previously
learned IT-related risks and controls in a CIS environment. It takes
into account the audit of IT function as a whole and the audit of CIS
in support of financial statement audit. It introduces tools and
techniques in auditing around, auditing through, and auditing with
the computer (using Audit Command Language [ACL] as generalized
audit software [GAS]).
Lesson 1 - Related Parties
Lesson 2 - Events after the reporting period
PRETEST
To find out how much you already know about the concepts in this module, Answer the
Pretest below.

Name: _________________________________________________ Course & Year:

____________

1. Which statement is incorrect when auditing in a CIS environment?

a. A CIS environment exists when a computer of any type or size is involved in the processing
by the entity of financial information of significance to the audit, whether that computer is
operated by the entity or by a third party.
b. The auditor should consider how a CIS environment affects the audit.
c. The use of a computer changes the processing, storage and communication of financial
information and may affect the accounting and internal control systems employed by the
entity.
d. A CIS environment changes the overall objective and scope of an audit.
2. Which of the following standards or group of standards is mostly affected by a computerized
information system environment?
a. General standards c. Reporting standards
b. Second standard of field work d. Standards of fieldwork
3. Which of the following is least considered if the auditor has to determine whether specialized
CIS skills are needed in an audit?
a. The auditor needs to obtain a sufficient understanding of the accounting and internal control
system affected by the CIS environment.
b. The auditor needs to determine the effect of the CIS environment on the assessment of
overall risk and of risk at the account balance and class of transactions level.
c. Design and perform appropriate tests of controls and substantive procedures.
d. The need of the auditor to make analytical procedures during the completion stage of audit.
4. It relates to materiality of the financial statement assertions affected by the computer
processing.
a. Threshold b. Relevance c. Complexity d. Significance
5. Which of the following least likely indicates a complexity of computer processing?
a. Transactions are exchanged electronically with other organizations without manual review of
their propriety.
b. The volume of the transactions is such that users would find it difficult to identify and correct
errors in processing.
c. The computer automatically generates material transactions or entries directly to another
applications.
d. The system generates a daily exception report.
6. The nature of the risks and the internal characteristics in CIS environment that the auditors are
mostly concerned include the following except:
a. Lack of segregation of functions. c. Lack of transaction trails.
b. Dependence of other control over computer processing. d. Cost-benefit ratio.
7. Which of the following is least likely a risk characteristic associated with CIS environment?
a. Errors embedded in an application’s program logic maybe difficult to manually detect on a
timely basis.
b. Many control procedures that would ordinarily be performed by separate individuals in
manual system maybe concentrated in CIS.
c. The potential unauthorized access to data or to alter them without visible evidence maybe
greater.
 d. Initiation of changes in the master file is exclusively handled by respective users.

Lesson 1: OVERVIEW OF IT AUDIT

Learning Objectives

1. To understand the concept of Computer Information Systems

2. To identify Computer Information Systems
3. To know the types of events occurring in a Computer Information Systems

Introduction
Information Technology throughout the world has revolutionized and dramatically changed the manner in which
the business is conducted today. Computerization has a significant effect on organization control, flow of
document information processing and so on. Auditing in a CIS environment even though has not changed the
fundamental nature of auditing, it has definitely caused substantial changes in the method of evidence collection
and evaluation. This also requires auditors to become knowledge about computer environment (Hardware,
software etc.) and keep pace with rapidly changing technology, even to the extent of using sophisticated Audit
software. Students are advised to study the technical issue relating to Information Technology from the study
material of paper 6.

Scope of Audit in a CIS Environment

Impact of computerisation on audit approach needs consideration of the following factors:
(1) High speed - In a CIS environment information can be generated very quickly. Even complex
reports in specific report format can be generated for audit purposes without much loss of time. This
cut down the time enabling the auditor to extend their analytical review for under coverage with
high speed of operation, the Auditor can expand their substantive procedures for collection of more
evidence in support of their judgement.
(2) Low clerical error - Computerised operation being a systematic and sequential programmed
course of action the changes of commission of error is considerably reduced. Clerical error is highly
minimised.
(3) Concentration of duties - In a manual environment the auditor needs to deploy separate
individuals for carrying out the verification process. In a CIS environment, the traditional approach does
not apply in many cases, as computer programs perform more than one set of activities at a time
thereby concentrating the duties of several personnel involved in the work.
(4) Shifting of internal control base –
(i) Application systems development control - Systems development control should be designed
to provide reasonable assurance that they are developed in an authorised and efficient manner, to
establish control, over:
a) testing, conversion, implementation, and documentation of new revised system.
b) changes to application system.
c) access to system documentation.
d) acquisition of application system from third parties.
(ii) Systems software control - Systems software controls are designed to provide reasonable
assurance that system software is acquired or developed in an authorised and efficient manner
including:
a) authorisation, approval testing, implementation and documentation of new system software
systems software modifications.
 b) putting restriction of access to system software and documentation to authorised personnel.
(5) Disappearance of manual reasonableness - The shift from traditional manual information
processing environment to computerised information systems environment needs a detailed analysis of
the physical system for transformation into a logical platform. In creating such logical models many
stages required under manual operations are either deleted or managed to create a focused computer
system. In such creative effort, the manual reasonableness may be missing.
(6) Impact of poor system - If system analysis and designs falls short of expected standard of
performance, a computerised information system environment may do more harm to integrated
business operation than good. Thus, care has to be taken in adopting manual operations switch- over to
computerised operations for ensuring performance quality standards.
(7) Exception reporting - This is a part of Management information system. Exception Reporting is a
departure from straight reporting of all variables. Here the value of a variable is only reported if it
lies outside some pre-determined normal range. This form of reporting and analysis is familiar to the
accountant. The main strength of exception reporting lies in its recognition that to be effective
information must be selectivity provided.
(8) Man-machine interface / human-computer interaction - Man-machine interface ensures
maximum effectiveness of the information system. Organisation concentrated on presenting
information that is required by the user and to present that information in the most uncluttered way.
It is required to determine what information was necessary to achieve through a careful analysis of
the job or task for which the user needed the information.
e) Human-computer interaction is a discipline concerned with the design, evaluation and
implementation of interactive computing systems for human use and with the study of the major
phenomena, surrounding them. The approach is user centered and integrates knowledge from a
wide range of disciplines
access to system documentation.
f) acquisition of application system from third parties.
(iii) Systems software control - Systems software controls are designed to provide reasonable
assurance that system software is acquired or developed in an authorised and efficient manner
including:
c) authorisation, approval testing, implementation and documentation of new system software
systems software modifications.
d) putting restriction of access to system software and documentation to authorised personnel.
(9) Disappearance of manual reasonableness - The shift from traditional manual information
processing environment to computerised information systems environment needs a detailed analysis of
the physical system for transformation into a logical platform. In creating such logical models many
stages required under manual operations are either deleted or managed to create a focused computer
system. In such creative effort, the manual reasonableness may be missing.
(10) Impact of poor system - If system analysis and designs falls short of expected standard of
performance, a computerised information system environment may do more harm to integrated
business operation than good. Thus, care has to be taken in adopting manual operations switch- over to
computerised operations for ensuring performance quality standards.
(11) Exception reporting - This is a part of Management information system. Exception Reporting is a
departure from straight reporting of all variables. Here the value of a variable is only reported if it
lies outside some pre-determined normal range. This form of reporting and analysis is familiar to the
accountant. The main strength of exception reporting lies in its recognition that to be effective
information must be selectivity provided.
(12) Man-machine interface / human-computer interaction - Man-machine interface ensures
maximum effectiveness of the information system. Organisation concentrated on presenting
information that is required by the user and to present that information in the most uncluttered way.
It is required to determine what information was necessary to achieve through a careful analysis of
the job or task for which the user needed the information.
Human-computer interaction is a discipline concerned with the design, evaluation and implementation of
interactive computing systems for human use and with the study of the major phenomena, surrounding
them. The approach is user centered and integrates knowledge from a wide range of disciplines
FOR THE LESSON PROPER
Please continue to the pdf we will be using for this subject
download the PDF of the book in the link:
http://bit.ly/2JRlArp
Lesson 1 Post Test
Instruction: Choose from the following the correct answer
1. Computer systems that enable users to access data and programs directly through workstations are
referred to as
a. On-line computer systems c. Personal computer systems
b.Database management systems (DBMS) d. Database systems
2. On-line systems allow users to initiate various functions directly. Such functions include:
I. Entering transactions III. Requesting reports
II. Making inquiries IV. Updating master files
a. I, II, III and IV c. I and II
b. I, II and III d. I and IV
3. Many different types of workstations may be used in on-line computer systems. The functions performed
by these workstations least likely depend on their
e. Logic b. Transmission c. Storage d. Cost
4. Types of workstations include General Purpose Terminals and Special Purpose Terminals.
Special Purpose Terminals include
a. Basic keyboard and monitor c. Point of sale devices
b. Intelligent terminal d. Personal computers
5. Special Purpose Terminal used to initiate, validate, record, transmit and complete various banking
transactions
a. Automated teller machines c. Intelligent terminal
b. Point of sale devices d. Personal computers
6. Which statement is incorrect regarding workstations?
a. Workstations may be located either locally or at remote sites.
b. Local workstations are connected directly to the computer through cables.
c. Remote workstations require the use of telecommunications to link them to the computer.
 d. Workstations cannot be used by many users, for different purposes, in different
locations, all at the same time.
7. On-line computer systems may be classified according to

a. How information is entered into the system.

b. How it is processed.
c. When the results are available to the user.

d. All of the above.

8. In an on-line/real time processing system

a. Individual transactions are entered at workstations, validated and used to update

related computer files immediately.
b. Individual transactions are entered at a workstation, subjected to certain validation
checks and added to a transaction file that contains other transactions entered during
the period.

c. Individual transactions immediately update a memo file containing information which

has been extracted from the most recent version of the master file.

d. The master files are updated by other systems.

9. It combines on-line/real time processing and on-line/batch processing.

a. On-Line/Memo Update (and Subsequent Processing)

b. On-Line Downloading/Uploading Processing

c. On-Line/Inquiry
d. On-Line/Combined Processing
10. It is a communication system that enables computer users to share computer equipment,
application software, data and voice and video transmissions.

a. Network b. File server c. Host d. Client

11. A type of network that multiple buildings are close enough to create a campus, but the
space between the buildings is not under the control of the company is
a. Local Area Network (LAN) c. Metropolitan Area Network (MAN)

b. Wide Area Network (WAN) d. World Wide Web (WWW)

12. Which of the following is least likely a characteristic of Wide Area Network (WAN)?

a. Created to connect two or more geographically separated LANs.

b. Typically involves one or more long-distance providers, such as a telephone company

to provide the connections.

c. WAN connections tend to be faster than LAN.

d. Usually more expensive than LAN.
Lesson 2: LEGAL AND ETHICAL ISSUES FOR IT

Learning Objectives

1. To understand the recognition of adjusting and nonadjusting events

2. To understand the nature and usefulness of the Computer Information
Systems
3. To identify the components of Computer Information Systems

Audit Approach in a CIS Environment

Based on The knowledge and expertise of Auditors in handling computerised data, the audit
approach in a CIS environment could be either:
A. A Black-box approach i.e., Auditing around the computer, or
B. A White-box approach i.e., Auditing through the computer.
A. The Black Box Approach

Client Input CPU Client Output

Auditing Around The Computer

Auditors Predetermined Output Compare with

Client Output
In the Black box approach or Auditing around the computer, the Auditor concentrates on input
and output and ignores the specifics of how computer process the data or transactions. If input
matches the output, the auditor assumes that the processing of transaction/data must have
been correct.
In testing, say, Payroll Application, the auditor might first examine selected time cards for hours
worked and employee earning cards for rates and then trace these to the payroll summary output
and finally compare hours, rates and extensions. The comparison of inputs and outputs may be
done manually with the assistance of the computer. The computer assisted approach has the
advantage of permitting the auditor to make more comparisons than would be possible, if done
manually.
Auditing around the computer has the advantage of ease of comprehension as the tracing of
documents to output does not require any in-depth study of application program.
A major disadvantage, however, is that the auditor not having directly tested the control,
cannot make assertions about the underlying process. Moreover, in some of the more complex
computer systems intermediate printout may not be available for making the needed
comparisons.
B. The White Box Approach

Auditor’s CPU Client

Input Output

Auditing Through The

Computer

Compare
with

Predetermined Client
Output Output

The processes and controls surrounding the subject are not only subject to audit but also the
processing controls operating over this process are investigated. In order to help the auditor to gain
access to these processes computer Audit software may be used. These packages may typically
contain:
(a) interactive enquiry facilities to interrogate files.
(b) facilities to analyze computer security logs for unusual usage of the computer.
(c) the ability to compare source and object (compiled) program codes in order to
detect dissimilarities.
(d) the facility to execute and observe the computer treatment of "live transaction"
by moving through the processing as it occurs.
(e) the generation of test data.
(f) the generation of aids showing the logs of application programs. The actual
controls and the higher level control will be evaluated and then subjected to
compliance testing and, if necessary, substantive testing before an audit report is
 produced.

It is obvious, that to follow this approach the auditor needs to have sufficient knowledge of
computers to plan, direct-supervise and review the work performed.
The areas covered in an audit will concentrate on the following controls:
(1) Input controls,
(2) Processing control,
(3) Storage control,
(4) Output control and
(5) Data transmission control.
The auditor will also need to be satisfied that there are adequate controls over the prevention
of unauthorised access to the computer and the computerised database. The auditors task will
also involve consideration of the separation of functions between staff involves in transaction
processing and the computerised system and ensuring that adequate supervision of personnel
is administered.
The process of auditing is not a straight forward flow of work from start to finish to be
completed by satisfying oneself against a standard checklist or a list of questions. It involves
exposure, experiences and application of knowledge and expertise to differing circumstances.
No two information system is same. From the view point of analysis of computerised
information system, the auditors need not only have adequacy on knowledge regarding
information requirement and computer data security they must also get exposed to system
analysis and design so as to facilitate post implementation audit.

Types of Computer Systems

There is large variety of computer systems applicable to accounting and other type of
information processing. The nature and type of system affect the various types of controls for
its efficient and effective functioning Computer System may be broadly classified as under:
A) System configuration, and
B) Processing systems.
A. Systems configuration
System configuration may be classified as:
(1) Large system computers - In large system computers, the processing task of
multiple users is performed on a single centralised computer, i.e., all inputs move
directly from the terminal to central processors and after processing goes back to users
from central processors. All the terminals in these systems were called 'dumb terminals'
as these terminals were not capable of processing data on their own and casually serve
only as input/output terminals. With time, these systems have become more efficient
and sophisticated. In many instances dumb terminals have given way to intelligent
terminals i.e., allowing data processing at local levels.
Stand alone personal computers - A stand alone system is one that is not connected to or
does not communicate with another computer system. Computing is done by an individual at a
time. All input data and its processing takes place on the machine itself. Many small businesses
rely on personal computers for all their accounting functions.
(2) Network computing system - A network is a group of interconnected system
sharing services and interacting by a shared communication links. All networks have
something to share, a transmission medium and rules for communication. Network
 share hardware and software resources. Hardware resources include:
(a) Client Server - A server in a network is dedicated to perform specific tasks to
support other computers on the network. Common types of servers are:
(b) File Server - File servers are the network applications that store, retrieve and
move data.
(c) Data base server - Most of the data base are client server based. Database
servers provide a powerful facility to process data.
(d) Message Server - They provide a variety of communication methods which takes
the form of graphics, digitized audio/video etc.,
(e) Print Server - Print server manages print services on the network.
Software resource sharing provides a facility to share information in the organisation.
The networks can also be classified on the basis of areas covered. Software resources
include:
(1) Local area network - In a local area network (LAN), two or more computers located
within a small well-defined area such as room, office or campus are connected through
cables. One of the computers acts as the server, it stores the program and data files
centrally. These programs and data files can be accessed by the other computers
forming part of the LAN. LAN provides the additional advantage of sharing programs,
data and physical resources like hard disks peripherals.
(2) Wide area network - Networks that employ public telecommunications facilities
to provide users with access to the resources of centrally located computers. A WAN
uses the public switched telephone network, high speed fibre optic cable, ratio links
or the internet. When a LAN extends in the metropolitan area using the WAN
technology, it is called Metropolitan Area Network (MAN).
WAN uses modem to connect computers over telephone lines (PSTN) PSTN system transfer
analog signals. Therefore, public telephone system is not appropriate to connect computers.
Modems are used to convert analog signals into digital and vice versa.
(3) Distributed data processing - The term has been used to cover many varities of
computer system. It consists of hardware located at least two geographically distinct
sites connected electronically by telecommunications where processing / data
storage occur at two or more than one sites. The main computer and the
decentralised units communicate via communication links. A more integrated
connection occurs with 'cooperative processing where processing is handled by two
cooperating geographically distinct processors. One processor send the output of its
processing to another for completion. The system becomes more complex, where
operating systems of both machines are different. Cooperative operating system may
be required under such situati

FOR THE LESSON PROPER

Please continue to the pdf we will be using for this subject
download the PDF of the book in the link:
http://bit.ly/2JRlArp
Lesson 2 Post Test

Instruction: Choose from the following the correct

1. A collection of data that is shared and used by a number of different users for
different purposes.
f. Database b. Information file c. Master file d.
Transaction file
2. Which of the following is least likely a characteristic of a database system?

a. Individual applications share the data in the database for different purposes.

b. Separate data files are maintained for each application and similar data used by
several applications may be repeated on several different files.

c. A software facility is required to keep track of the location of the data in the database.

d. Coordination is usually performed by a group of individuals whose responsibility is

typically referred to as "database administration."
3. Database administration tasks typically include

I. Defining the database structure.

II. Maintaining data integrity, security and completeness.

III. Coordinating computer operations related to the database.

IV. Monitoring system performance.

V. Providing administrative support.

a. All of the above b. All except I c. II and V only d. II, III and V
only
4. Due to data sharing, data independence and other characteristics of database systems

a. General CIS controls normally have a greater influence than CIS application controls
on database systems.

b. CIS application controls normally have a greater influence than general CIS controls
on database systems.

c. General CIS controls normally have an equal influence with CIS application controls on
database systems.
 d. CIS application controls normally have no influence on database systems.
5. Which statement is incorrect regarding the general CIS controls of particular importance
in a database environment?
a. Since data are shared by many users, control may be enhanced when a standard
approach is used for developing each new application program and for application
program modification.

b. Several data owners should be assigned responsibility for defining access and security
rules, such as who can use the data (access) and what functions they can perform
(security).

c. User access to the database can be restricted through the use of passwords.

d. Responsibilities for performing the various activities required to design, implement

and operate a database are divided among technical, design, administrative and user
personnel.
6. These require a database administrator to assign security attributes to data that cannot
be changed by database users.

a. Discretionary access controls c. Name-dependent restrictions

b. Mandatory access controls d. Content-dependent restrictions.

7. A discretionary access control wherein users are permitted or denied access to data
resource depending on the time series of accesses to and actions they have undertaken
on data resources.

a. Name-dependent restrictions c. Context-dependent restriction

b. Content-dependent restriction d. History-dependent restriction

8. The effect of a database system on the accounting system and the associated risks will
least likely depend on:

a. The extent to which databases are being used by accounting applications.

b. The type and significance of financial transactions being processed.

c. The nature of the database, the DBMS, the database administration tasks and the
applications.

d. The CIS application controls.

9. Audit procedures in a database environment will be affected principally by
a. The extent to which the data in the database are used by the accounting system.

b. The type and significance of financial transactions being processed.

c. The nature of the database, the DBMS, the database administration tasks and the
applications.

d. The general CIS controls which are particularly important in a database environment.
REFERENCES:

• Tugas, F. (2012). Exploring A New Element of Fraud: A Study of Selected

Financial Accounting Fraud Cases in the World. American International
Journal of Contemporary Research, 112-121.
• PAPS 1009 and PAPS 1013 of the Auditing Standards and Practices
Council