FINAL EXAMINATION

AUDITING IN CIS ENVIRONMENT

Name : James Anthony N. Sy Score:_________________
Course and Year: BSA – 3 Date: June 11, 2021

ANSWERS

PART 1 - Questions

1. In a batch processing system, documents evidencing transactions and events are gathered and
processed by groups. The day’s sales invoices, for example, may be converted to machine-
readable form and processed the next morning. In a real time system, transactions are input into
the system and processed as they occur. A branch sale, for example, may be input into the system
via a terminal at a remote location. The computer checks for product availability, customer
authenticity, customer credit approval, and shipping terms; and if all conditions are met, the sale
is processed immediately and the sales invoice and shipping order are produced.

2. In a real-time system, much of the data are stored internally and documentation is often not as
extensive as in a batch system. Retrieval and audit of transaction data, therefore, are often more
difficult in a real-time system. Also, controls are more likely to be programmed in real-time
systems, and for this reason, are more difficult to test.

3. Inasmuch as computer processing requires increased dependence on the computer systems and
software for the accuracy and completeness of processing, documentation assumes major
significance relative to effective control. Documentation facilitates reviewing and updating
systems and programs as the environment changes; and it also minimizes the probability of
unauthorized system and program changes which could result in loss of control and decreased
reliability of financial data.

4. In a batch system, files are stored off-line for the most part, and access control assumes the
form of safeguarding the programs, transaction files, and master files by assigning responsibility
for the files to a librarian and instituting a formal checkout system. Only those persons
authorized to process transactions (computer operators) are permitted access to transaction and
master files; and programmers are permitted access to programs only for testing and
“debugging” purposes. In an on-line, real-time system, transactions and master files are stored
internally, often in a system of integrated data bases. Access control in this type of data
environment assumes the form of controlling access to data bases and fixing of responsibility for
the data base components. Assigning a password to an individual who is responsible for the data
base component accessible by that password, canceling passwords of former employees, and
frequent changing of existing employees’ passwords are examples of access controls in a real-
time system.
5. Recording forms and transaction logs assure consistency and completeness of data inputs. The
form or log should include codes describing such transaction components as employee number,
customer number, vendor number, department number, stock number, purchased part number, or
job number. The form should also provide for quantities, prices, dates, and usually a short
narrative description of products, parts, materials, or services for purchase and sales transactions.

6. A transaction file is the batch of entered data that has been converted into machine-readable
form. A transaction file may contain payroll information for a specific period of time. It is
similar to a journal in a manually prepared system. A master file contains updated information
through a particular time period. It is similar to a ledger in a manual system.

7. Small businesses have found that microcomputers or personal computer system are cost
effective for processing accounting data. In small businesses, one would expect to find
microcomputers (or personal computers) using commercially available software.

8. In the computerized system, documents to support a transaction may not be maintained in

readable form, requiring associated performance of controls. However, the computerized system
will enable processing of transactions to be done more consistently, duties to be consolidated,
and reports to be generated more easily.

9. The proper installation of IT can lead to internal control enhancements by replacing manually-
performed controls with computer-performed controls. IT based accounting systems have the
ability to handle tremendous volumes of complex business transactions cost effectively.
Computer-performed controls can reduce the potential for human error by replacing manual
controls with programmed controls that apply checks and balances to each transaction processed.
The systematic nature of IT offers greater potential to reduce the risk of material misstatements
resulting from random, human errors in processing. The use of IT based accounting systems also
offers the potential for improved management decisions by providing more and higher quality
information on a timelier basis than traditional manual systems. IT-based systems are usually
administered effectively because the complexity requires effective organization, procedures, and
documentation. That in turn enhances internal control.

10. When entities rely heavily on IT systems to process financial information, there are new risks
specific to IT environments that must be considered. Key risks include the following:

a. Reliance on the functioning capabilities of hardware and software. The risk of system
crashes due to hardware or software failures must be evaluated when entities rely on IT to
produce financial statement information.
b. Visibility of audit trail. The use of IT often converts the traditional paper trail to an electronic
audit trail, eliminating source documents and paper-based journal and records.

c. Reduced human involvement. The replacement of traditional manual processes with

computer-performed processes reduces opportunities for employees to recognize misstatements
resulting from transactions that might have appeared unusual to experienced employees.

d. Systematic versus random errors. Due to the uniformity of processing performed by IT

based systems, errors in computer software can result in incorrect processing for all transactions
processed. This increases the risk of many significant misstatements.

e. Unauthorized access. The centralized storage of key records and files in electronic form
increases the potential for unauthorized on-line access from remote locations.

f. Loss of data. The centralized storage of data in electronic form increases the risk of data loss
in the event the data file is altered or destroyed.

g. Reduced segregation of duties. The installation of IT-based accounting systems centralizes

many of the traditionally segregated manual tasks into one IT function.

h. Lack of traditional authorization. IT-based systems can be programmed to initiate certain

types of transactions automatically without obtaining traditional manual approvals.

i. Need for IT experience. As companies rely to a greater extent on IT-based systems, the need
for personnel trained in IT systems increases in order to install, maintain, and use systems.

11. General controls relate to all aspects of the IT function. They have a global impact on all
software applications. Examples of general controls include controls related to the administration
of the IT function; software acquisition and maintenance; physical and on-line security over
access to hardware, software, and related backup; back-up planning in the event of unexpected
emergencies; and hardware controls. Application controls apply to the processing of individual
transactions. An example of an application control is a programmed control that verifies that all
time cards submitted are for valid employee ID numbers included in the employee master file.

12. The most significant separation of duties unique to computer systems are those performed by
the systems analyst, programmer, computer operator, and data base administrator. The idea is
that anyone who designs a processing system should not also do the technical work, and anyone
who performs either of these tasks should not also be the computer operator when real data is
processed.

13. Typical duties of computer personnel:

a. Systems analysis: Personnel will design and direct the development of new applications.
b. Programming: Other personnel will actually do the programming dictated by the system
design.

c. Operating: Other people will operate the computer during processing runs, so that
programmers and analysts cannot interfere with the programs designed and executed, even if
they produce errors.

d. Converting data: Since this is the place where misstatements and errors can be made – the
interface between the hardcopy data and the machinereadable transformation, people
unconnected with the computer system itself do the data conversion.

e. Library-keeping: Persons need to control others’ access to system and program software so it
will be used by authorized personnel for authorized purposes.

f. Controlling: Errors always occur, and people not otherwise connected with the computer
system should be the ones to compare input control information with output information, provide
for correction of errors not involving system failures, and distribute output to the people
authorized to receive it.

14. Documentation differs significantly as to inclusion of program flowcharts, program listings,

and technical operating instructions. File security and retention differs because of the relatively
delicate form of the magnetic media requiring fireproof vault storage, insulation from other
magnetic fields, safeguards from accidental writing on data files, and so forth.

15. Auditors review documentation to gain an understanding of the system and to determine
whether the documentation itself is adequate for helping manage and control the computer
processing.

16. Responsibilities of the database administrator (DBA) function are:

• Design the content and organization of the database, including logical data relationships,
physical storage strategy and access strategy.

• Protect the database and its software, including control over access to and use of the data and
DBMS and provisions for backup and recovery in the case of errors or destruction of the
database.

• Monitor the performance of the DBMS and improve efficiency.

• Communicate with the database users, arbitrate disputes over data ownership and usage,
educate users about the DBMS and consult users when problems arise.

• Provide standards for data definition and usage and documentation of the database and its
software.
17. Five things a person must have access to in order to facilitate computer fraud are:

a. The computer itself.

b. Data files.

c. Computer programs.

d. System information (documentation).

e. Time and opportunity to convert assets to personal use.

18. Because many companies that operate in a network environment decentralize their network
servers across the organization, there is an increased risk for a lack of security and lack of overall
management of the network operations. The decentralization may lead to a lack of standardized
equipment and procedures. In many instances responsibility for purchasing equipment and
software, maintenance, administration, and physical security, often resides with key user groups
rather than with features, including segregation of duties, typically available in traditionally
centralized environments because of the ready access to software and data by multiple users.

19. Additional planning items that should be considered when computer processing is involved
are:

• The extent to which the computer is used in each significant accounting application.

• The complexity of the computer operations used by the entity, including the use of an outside
service center.

• The organizational structure of the computer processing activities.

• The availability of data.

• The computer-assisted audit techniques to increase the efficiency of audit procedures.

• The need for specialized skills.

20. Understanding the control environment is a part of the preliminary phase of control risk
assessment. Computer use in data processing affects this understanding in each of the parts of the
control environment as follows: The organizational structure – should include an understanding
of the organization of the computer function. Auditors should obtain and evaluate: (a) a
description of the computer resources and (b) a description of the organizational structure of
computer operations.
Methods used to communicate responsibility and authority – should include the methods related
to computer processing. Auditors should obtain information about the existence of: (a)
accounting and other policy manuals including computer operations and user manual and (b)
formal job descriptions for computer department personnel. Further, auditors should gain an
understanding of: (a) how the client’s computer resources are managed, (b) how priorities for
resources are determined and (c) if user departments have a clear understanding of how they are
to comply with computer related standards and procedures.

Methods used by management to supervise the system – should include procedures management
uses to supervise the computer operations. Items that are of interest to the auditors include: (a)
the existence of systems design and documentation standards and the extent to which they are
used, (b) the existence and quality of procedures for systems and program modification, systems
acceptance approval and output modification, (c) the procedures limiting access to authorized
information, (d) the availability of financial and other reports and (e) the existence of an internal
audit function.

21. The “audit trail” is the source documents, journal postings and ledger account postings
maintained by a client in order to keep books. These are a “trail” of the bookkeeping (transaction
data processing) that the auditor can follow forward with a tracing procedure or back ward with a
vouching procedure. In a manual system this “trail” is usually visible to the eye with posting
references in the journal and ledger and hard-copy documents in files. But in a computer system,
the posting references may not exist, and the “records must be read using the computer rather
than the naked eye.” Most systems still have hard-copy papers for basic documentation, but in
some advanced systems even these might be absent.

22. The audit trail (sometimes called “management trail” as it is used more in daily operations
than by auditors) is composed of all manual and computer records that allow one to follow the
sequence of processing on (or because of) a transaction. The audit trail in advanced systems may
not be in a human-readable form and may exist for only a fraction of a second. The first control
implication is that concern for an audit trail needs to be recognized at the time a system is
designed. Techniques such as integrated test facility, audit files and extended records must be
specified to the systems designer. The second control implication is that if the audit trail exists
only momentarily in the form of transaction logs or master records before destructive update, the
external auditor must review and evaluate the transaction flow at various times throughout the
processing period. Alternatively, the external auditor can rely more extensively on the internal
auditor to monitor the audit trail.

23. Major characteristics:

1. Staff and location of the computer – operated by small staff located within the user department
and without physical security.

2. Programs – supplied by computer manufacturers or software houses.

3. Processing mode – interactive data entry by users with most of the master file accessible for
inquiry and direct update.

Control Problems:

1. Lack of segregation of duties.

2. Lack of controls on the operating system and application programs.

3. Unlimited access to data files and programs.

4. No record of usage.

5. No backup of essential files.

6. No audit trail of processing.

7. No authorization or record of program changes.

24. Auditing through the computer refers to making use of the computer itself to test the
operative effectiveness of application controls in the program actually used to process accounting
data. Thus the term refers only to the proper study and evaluation of internal control. Auditing
with the computer refers both to the study of internal control (the same as “auditing through”)
and to the use of the computer to perform audit tasks.

25. Both are audit procedures that use the computer to test controls that are included in a
computer program. The basic difference is that the test data procedure utilizes the client’s
program with auditor-created transactions, while parallel simulation utilizes an auditor-created
program with actual client transactions. In the test data procedure the results from the client
program are compared to the auditor’s predetermined results to determine whether the controls
work as described. In the parallel simulation procedures the results from the auditor program are
compared to the results from the client program to determine whether the controls work as
described.

26. The test data technique utilizes simulated transactions created by the auditor processed by
actual programs but at a time completely separate from the processing of actual, live
transactions. The integrated test facility technique is an extension of the test data technique, but
the simulated transactions are intermingled with the real transactions and run on the actual
programs processing actual data.

27. User identification numbers and passwords prevent unauthorized access to accounting
records and application programs. The transaction log does not prevent unauthorized access but
may be reviewed to detect unauthorized access. Even then, responsibility could not be traced to a
particular individual without user identification numbers and passwords. The transaction log is
more important to establish the audit trail than to detect unauthorized access.

28. Generalized audit software is a set of preprogrammed editing, operating, and output routines
that can be called into use with a simple, limited set of programming instructions by an auditor
who has one or two weeks intensive training.

29.

30. Automated microcomputer work paper software generally consists of trial balance and
adjustment worksheets, working paper (lead schedule) forms, easy facilities for adjusting journal
entries, and electronic spreadsheets for various analyses.

31. A microcomputerized electronic spreadsheet can be used instead of paper and pencil to create
the form of a bank reconciliation, with space provided for tex lists of outstanding items (using
the label input capability), and math formula inserted for accurate arithmetic in the
reconciliation. Printing such reconciliation is easy (and much prettier than most accountants’
handwriting!).

32. With either data base or spreadsheet software packages, macros (sets of instructions) can be
developed for retrieving data from the working trial balance and converting this data into
classified financial statements. If one or more subsidiaries are to be included, the consolidated
process can also be automated by the inclusion of special modules designed for that purpose. The
standard audit report, as well as recurring footnotes, can be included in the data base, and
modified to fit the circumstances of the current year’s audit results.

33. Relational data base packages have all the advantages of spreadsheets, and, in addition, have
the capacity to store and handle larger quantities of data. They are especially useful in
manipulating large data bases, such as customer accounts receivable, plant assets, and
inventories.
34. General controls relate to all aspects of the IT function. They have a global impact on all
software applications. Examples of general controls include controls related to the administration
of the IT function; software acquisition and maintenance; physical and on-line security over
access to hardware, software, and related backup; back-up planning in the event of unexpected
emergencies; and hardware controls. Application controls apply to the processing of individual
transactions. An example of an application control is a programmed control that verifies that all
time cards submitted are for valid employee ID numbers included in the employee master file.

35. The most significant separation of duties unique to computer systems are those performed by
the systems analyst, programmer, computer operator, and data base administrator. The idea is
that anyone who designs a processing system should not also do the technical work, and anyone
who performs either of these tasks should not also be the computer operator when real data is
processed.

36. Typical duties of computer personnel:

a. Systems analysis: Personnel will design and direct the development of new applications.

b. Programming: Other personnel will actually do the programming dictated by the system
design.

c. Operating: Other people will operate the computer during processing runs, so that
programmers and analysts cannot interfere with the programs designed and executed, even if
they produce errors.

d. Converting data: Since this is the place where misstatements and errors can be made – the
interface between the hardcopy data and the machinereadable transformation, people
unconnected with the computer system itself do the data conversion.

e. Library-keeping: Persons need to control others’ access to system and program software so it
will be used by authorized personnel for authorized purposes.

f. Controlling: Errors always occur, and people not otherwise connected with the computer
system should be the ones to compare input control information with output information, provide
for correction of errors not involving system failures, and distribute output to the people
authorized to receive it.

37. Documentation differs significantly as to inclusion of program flowcharts, program listings,

and technical operating instructions. File security and retention differs because of the relatively
delicate form of the magnetic media requiring fireproof vault storage, insulation from other
magnetic fields, safeguards from accidental writing on data files, and so forth.
38. Auditors review documentation to gain an understanding of the system and to determine
whether the documentation itself is adequate for helping manage and control the computer
processing.

39. Responsibilities of the database administrator (DBA) function are:

• Design the content and organization of the database, including logical data relationships,
physical storage strategy and access strategy.

• Protect the database and its software, including control over access to and use of the data and
DBMS and provisions for backup and recovery in the case of errors or destruction of the
database.

• Monitor the performance of the DBMS and improve efficiency.

• Communicate with the database users, arbitrate disputes over data ownership and usage,
educate users about the DBMS and consult users when problems arise.

• Provide standards for data definition and usage and documentation of the database and its
software.

40. Five things a person must have access to in order to facilitate computer fraud are:

a. The computer itself.

b. Data files.

c. Computer programs.

d. System information (documentation).

e. Time and opportunity to convert assets to personal use.

41. Because many companies that operate in a network environment decentralize their network
servers across the organization, there is an increased risk for a lack of security and lack of overall
management of the network operations. The decentralization may lead to a lack of standardized
equipment and procedures. In many instances responsibility for purchasing equipment and
software, maintenance, administration, and physical security, often resides with key user groups
rather than with features, including segregation of duties, typically available in traditionally
centralized environments because of the ready access to software and data by multiple users.
PART 2 – Multiple Choice

1. c

2. a

3. d

4. b

5. d

6. d

7. b

8. b

9. c

10. c

11. c

12. a

13. a

14. a

15. c

16. c

17. c

18. b

19. c

20. c

21. c
22. c

23. a & d

24. a

25. a

26. a

27. c

28. d

29. b

30. d

31. d

32. b

33. a

34. c

35. c

36. c

37. a

38. a

39. c

40. c

41. The client’s control procedures appear adequate enough to justify a low control risk
assessment.

42. d

43. d

44. d

45. b
46. d

PART 3 – Case Analysis

1. The audit should be undertaken by a competent professional in accordance with general

standard one; The auditor's knowledge of the accounting process should be thorough; Without
knowledge, calculating the Risk of Material Misstatement (ROMM) is difficult; There is a high
probability of accidentally recognizing an Audit Procedure (AP) level (in the absence of skill);
The stated audit opinion cannot be relied upon (if the auditor is incompetent); A competent
auditor would have determined (as indicated in the document) that a risk of human error existed
and then scanned. Additionally, since transactions are handled organically, there is a chance of
technological errors. As a consequence, the auditor should be familiar with the improved
program's technical specifications