INTRODUCTION TO CIS AUDIT

A CIS environment exists when a computer of any type or size is involved in the processing by the
entity of financial information of significance to the audit; whether the computer is operated by the
entity or by a third party. The overall objective and scope of an audit does not change in a CIS
environment.

However, a CIS environment may a ect:

a. The procedures followed in obtaining a su icient understanding of the accounting and internal
control systems.

b. The consideration of inherent and control risk.

c. The design and performance of tests of controls and substantive procedures. In this regard, the
auditor should have su icient knowledge of the CIS to plan, direct and review the work performed.

If specialized skills are needed, the auditor would seek the assistance of a professional possessing
such skills, who may be either on the auditor’s sta or an outside professional.

In planning the portions of the audit which may be a ected by the client’s CIS environment, the
auditor should obtain an understanding of the significance and complexity of the CIS activities and
the availability of data for use in the audit. When the CIS environment is significant, the auditor
should also obtain an understanding of the CIS environment and whether it may influence the
assessment of inherent and control risks.

The auditor should consider the CIS environment in designing audit procedures to reduce the audit
risk to an acceptably low level. The auditor can use either manual audit procedures or computer
assisted audit techniques (CAATs) or a combination of both to obtain su icient evidential matter.

An audit in a CIS environment is generally divided into three phases:

a. Audit planning – this phase consists of both short-term planning and long-term planning and
has risk analysis as one of its major part.
 Short-term planning – takes into account audit issues that will be covered during the year.
 Long-term planning – relates to audit plans that will take into account risk-related issues
regarding changes in the organization’s IT strategic direction that will a ect the
organization’s IT environment.
 Risk analysis – helps identify risks and vulnerabilities so the auditor can determine the
controls needed to mitigate those risks. The auditor is often focused toward high-risk issues
associated with confidentiality, availability or integrity of sensitive and critical information
and the underlying information systems and processes that generate, store and manipulate
such information.

b. Test of controls or compliance testing – to determine whether adequate internal controls are in
place and functioning properly.

c. Substantive testing – can be performed either with or without the use of computers. Also, the
auditor must consider that in a CIS environment, the information needed to perform
substantive tests is contained in data files that often must be extracted using computer
assisted audit tools and techniques (CAATs) software.

CHARACTERISTICS AND CONSIDERATIONS IN A CIS ENVIRONMENT

ORGANIZATIONAL STRUCTURE – characteristics of a CIS organizational structure includes:

a. Concentration of function and knowledge – although most systems employing CIS methods
will include certain manual operations, generally, the number of persons involved in the
processing of financial information is significantly reduced.
b. Concentration of programs and data – transaction and master file data are often
concentrated, usually, in machine-readable form, either, in one computer installation located
centrally or in a number of installations distributed throughout the entity.

NATURE OF PROCESSING – the use of computers may result in the design of systems that
provides less visible evidence than those using manual procedures. In addition, these systems
may be accessible by a larger number of persons. System characteristics that may result from
the nature of CIS processing include:

a. Absence of input documents – data may be entered directly into the computer system
without supporting document. In some on-line transaction systems, written evidence of
individual data entry authorization may be replaced by other procedures such as
authorization controls contained in computer programs.
b. Lack of visible audit trail – the transaction trail may be partly in machine-readable form and
may exist only for a limited period of time.
c. Lack of visible output – certain transactions or results of processing may not be printed or
only a summary of data may be printed.
d. Ease of access to data and computer programs – data and computer programs may be
accessed and altered at the computer or through the use of computer equipment at remote
locations. Therefore, in the absence of appropriate controls, there is an increased potential
for unauthorized access to, an alteration of, data and programs by persons inside or outside
the entity.

DESIGN AND PROCEDURAL ASPECTS – the development of CIS will generally result in design
and procedural characteristics that are di erent from those found in manual systems.

These di erent design and procedural aspects of CIS include:

a. Consistency of performance – CIS perform functions exactly as programmed and are
potentially more reliable than manual systems, provided that all transaction types and
conditions that could occur are anticipated and incorporated into the system. On the other
hand, a computer program that is not correctly programmed and tested may consistently
process transactions or other data erroneously.
b. Programmed control procedures – the nature of computer processing allows the design of
internal control procedures in computer programs.
c. Single transaction update of multiple or data based computer files – a single input to the
accounting system may automatically update all records associated with the transaction.
d. Systems generated transactions – certain transactions may be initiated by the CIS itself
without the need for an input document.
e. Vulnerability of data and program storage media – large volumes of data and the computer
programs used to process such data may be stored on portable or fixed storage media, such as
magnetic disks and tapes. These media are vulnerable to theft, loss or intentional or accidental
destruction.

INTERNAL CONTROL IN A CIS ENVIRONMENT – GENERAL CONTROLS GENERAL CIS

CONTROLS – relate to all EDP applications and are implemented to establish a framework of
overall control over the CIS activities and to provide a reasonable level of assurance that the
overall objectives of internal controls are achieved.
General controls may include:
a. Organization and management controls – designed to define strategic direction and
establish an organizational framework over CIS activities, including:
 Strategic information technology plan.
 CIS policies and procedures.
 Segregation of incompatible functions.
 Monitoring of CIS activities performed by third party consultants.
b. Development and maintenance controls – designed to provide reasonable assurance that
systems are developed or acquired, implemented and maintained in an authorized and
e icient manner. They also typically designed to establish control over:
 Project initiation, requirements definition, systems design, testing, data conversion, go-
live decision, migration to production environment, documentation of new or revised
systems and user training.
 Acquisition and implementation of o -the-shelf packages.
 Request for changes to the existing systems.
 Acquisition, implementation and maintenance of system software.
c. Delivery and support controls – designed to control the delivery of CIS services including:
 Establishment of service level agreements against which CIS services are measured.
 Performance and capacity management controls.
 Event and problem management controls.
 Disaster recovery/contingency planning, training and file backup.
 Computer operations controls.
 Systems security.
 Physical and environment controls.
d. Monitoring controls – designed to ensure that CIS controls are working e ectively as
planned. These include:
 Monitoring of key CIS performance indicators.
 Internal/external CIS audits.
 Alternatively, general controls can be categorized into the following domains as per
AICPA audit guide:
a. Organizational and operation controls – segregation of duties provides the control
mechanism for maintaining an independent processing environment, thus meeting
control objectives.
 Segregate functions between the EDP department and user departments.
 Do not allow EDP department to initiate or authorize transactions.
 Segregate functions within the EDP department.

Auditor’s test of control - should include inquiry, observation, discussion and review of an
appropriate organization chart, responsibility for initiating and authorizing transactions,
discrepancies should be reported and the appropriate controls recommended.

Figure 5 – Sample Organizational Structure Within a CIS Department

 CIS Director – exercise control over the CIS operation.

 Systems analyst – designs new systems, evaluates and improves existing systems and prepares
specifications for programmers.

 Programmers – guided by the specifications of the systems analyst , the programmers writes a
program, tests and debugs such programs and prepares the computer operating instructions.

i. Systems programmer – in charge of programs that make the hardware works such as
operating systems, telecommunications monitor and database management system.
ii. Applications programmer – in charge of programs for specific use.
 Computer operator – using the program and detailed operating instructions prepared by the
programmer, the computer operator operates the computer to process transactions.

 Data entry operator – prepares and verifies input data for processing.

 Data Librarian – maintains custody of systems documentation, programs and files.

 Control group – reviews all input procedures, monitors computer processing, follows up data
processing errors, reviews the reasonableness of output and distributes output to authorized
personnel.

b. Systems development and documentation controls – within EDP, new systems are
developed that either replace an old system or enhance present systems. This
environment requires unique controls to ensure that the integrity of the overall system is
maintained.

 User department must participate in systems design.

 Each system must have written specifications which are reviewed and approved by
management and by user departments.

 Both users and EDP personnel must test new systems.

 Management, users and EDP personnel must approve new systems before they are place
into operation.

 All master file and transaction file conversion should be controlled to prevent
unauthorized changes and to verify the results on a 100% basis.

 After a new system is operating, there should be proper approval of all program changes.

 Proper documentation standards should exist to assure continuity of the system.

Auditor’s test of control – should determine that the system development procedures that
exist are properly functioning and are adequately documented and that all documentation
pertaining to procedures, programs or methodologies, should be up to date and written in
clear and concise language.

c. Hardware and systems software controls – the reliability of EDP hardware has
increased dramatically over the years not only due to the advancements in technology
but also due to the controls built into the mechanism to detect and prevent equipment
failures.
 Auditor should be aware of the control features inherent in computer hardware,
operating system and other supporting software and ensure that they are utilized to the
maximum possible extent.
 Systems software should be subjected to the control procedures as those applied to
installation of and changes to application programs.
 Examples of hardware and software controls include:
 i. Parity check – a special bit is added to each character stored in memory that
can detect if the hardware loses a bit during the internal movement of a
character.
ii. Echo check – primarily used in telecommunications transmissions. During the
sending and receiving of characters, the receiving hardware repeats back to the
sending hardware what it received and the sending hardware automatically
resends any characters that it detects were received incorrectly.
iii. Diagnostic routines – hardware or software supplied by the manufacturer to
check the internal operations and devices within the computer system. These
routines are often activated when the system is booted up.
iv. Boundary protection – most CPUs have multiple jobs running simultaneously. To
ensure that these simultaneous jobs cannot destroy or change the allocated
memory of another job, the system contains boundary protection controls.
v. Periodic maintenance – the system should be examined periodically by a
qualified service technician to help prevent unexpected hardware failures.

Auditor’s test of control – should test whether the controls are functioning as intended. In addition,
audit software can be used to analyze the data collected by the diagnostic routines and detect
significant trends.

d. Access controls – the computer system should have adequate security controls to
protect equipment, files and programs.
 Access to program documentation should be limited to those persons who require it
in the performance of their duties.
 Access to data files and programs should be limited to those individuals authorized to
process data.
 Access to computer hardware should be limited to authorized individuals such as
computer operators and their supervisors.
 Access to the EDP environment is a ected both physically and electronically.
i. Physical access controls – limited physical access (i.e. guard, automated key
cards, manual key locks as well as new access through fingerprints or palm
prints) and use of ID badge and visitor entry logs.
ii. Electronic access controls – access control software/user identification (i.e.
identification code and passwords), call back and encryption boards. Auditor’s
test of control – include attempting to violate the system, either physically or
electronically, or reviewing any unauthorized access that has been recorded.
The tests should also ensure that all security violations are followed up on to
ensure they are errors.
e. Data and procedural controls – a written manual of systems and procedures should be
prepared for all computer operations and should provide for management’s general or
specific authorization to process transactions. An independent party should review and
evaluate proposed systems at critical stages of development and review and test
computer processing activities.
 A control group should receive all data to be processed, ensure that all data are
recorded, follow up errors during processing and determine that transactions are
corrected and resubmitted by the proper user personnel and verify the proper
distribution of output.
 To prevent unnecessary stoppages or errors in processing, the following specific
controls should be implemented:
i. Operations run manual – specifies in details, the “the how to’s” for each
application to enable the computer operator to respond to any errors that may
occur.
ii. Backup and recovery – to ensure preservation of historical records and the
ability to recover from an unexpected error, files created within EDP are backed
up in a systematic manner (i.e. “snapshot” in a database system, grand-father-
son method, o -site storage of critical files)
iii. Contingency processing – detailed contingency processing plans should be
developed to prepare for natural disasters, man-made disasters or general
hardware failures that disable the data center (i.e. very hot sites, hot sites and
cold sites)
iv. File protection ring – used to ensure that an operator does not use a magnetic
tape as a tape to write on when it actually has critical information on it.
v. Internal and external labels – allows the computer operator to determine
whether the correct file has been selected for processing.

Auditor’s test of control – normally include identification, observation and inquiry. While
some of the data and procedural controls are easy to implement, other controls such as
contingency processing are more di icult and costly to implement. The auditor should
determine that these controls are either present or that management has accepted the
related risks and that all exceptions are scrutinized.

INTERNAL CONTROL IN A CIS ENVIRONMENT – APPLICATION CONTROLS CIS

APPLICATION CONTROLS – relate to a specific application instead of multiple

applications and are implemented to establish specific control procedures over the
application systems in order to provide reasonable assurance that all transactions are
authorized, recorded and are processed completely, accurately and on a timely basis.

CIS application controls include:

a. Controls over input – designed to provide assurance that:

 Transactions are properly authorized before being processed by the computer.

 Transactions are accurately converted into machine readable form and recorded in
the computer data files.

 Transactions are not lost, added, duplicated or improperly changed.

 Incorrect transactions are rejected, corrected and if necessary, resubmitted on a

timely basis
Input controls attempt to ensure the validity, accuracy and completeness of data
entered into a CIS.

Input controls may be subdivided into:

 Data observation and recording, includes:

i. The use of pre-numbered and pre-printed documents.

ii. Keeping blank forms under lock and key.
iii. Online computer systems o er menu screens, preformatted screens, use of
scanners that read bar codes and use of feedback mechanisms to approve a
transaction.
iv. Self-checking digit – mathematically calculated digit which is usually added to a
document number to detect common transpositional errors in data submitted
for processing.

 Data transcription (batching and converting), includes:

i. Carefully structured source documents and input screens.

ii. Control totals – computed based on the data submitted for processing. They are
further categorized into financial/amount control/ batch/proof total, hash total
and record count.
iii. Key verification requiring data to be entered twice.
iv. Visual verification

 Edit tests of transaction data, includes:

i. Validity check – a check which allows only valid transactions or data to be

entered into the system (i.e. M – male; F – female
ii. Reasonableness and limit check – these tests determine whether amounts
entered are too high, too low or unreasonable (i.e. hours work should not exceed
40 hours a week and increase in salary is reasonable compared to salary base).
iii. Field check – a check that makes certain that only numbers, alphabetical
characters, special characters and proper negative and positive signs are
accepted into a specific data field where they are required (i.e. numbers do not
appear in fields reserved for words).
iv. Sequence check – a check that requires successive input data are in some
prescribed order to avoid missing out an input.
v. Field size check – requires an error message to result if an exact number of
characters are to be inputted and is not met.
vi. Logic check – ensures that illogical combinations of inputs are not accepted
into the computer.
vii. Range check – particular fields fall within specified ranges.

 Transmission of transaction data, includes:

 i. Echo check – transmitting data back to the originating terminal for comparison
with the transmitted data.
ii. Redundancy data check – transmitting additional data to aid in the verification
process.
iii. Completeness check – verifying that all required data have been entered and
transmitted.
b. Controls over processing and computer data files – designed to provide a
reasonable assurance that:
 Transactions, including system generated transactions, are properly processed by
the computer.
 Transactions are not lost, added, duplicated or improperly changed.
 Processing errors are identified and corrected on a timely basis. Processing
controls help assure that data are processed accurately and completely and that no
unauthorized transactions are included, that proper files and programs are included
and that all transactions can be easily traced. Processing controls include:
 Manual cross checks – include checking the work of another employee,
reconciliations and acknowledgments.
 Processing logic checks – many of the programmed edit checks used in the input
stage may also be employed during processing.
 Run-to-run totals – batched data should be controlled during processing runs so
that no records are omitted or incorrectly inserted into a transaction filed.
 File and program changes – to ensure that transactions are posted to the proper
account, master files should be checked for correctness and programs should be
validated.
 Audit trail linkages – a clear audit trail is needed to enable individual transactions
to be traced, to provide support in general ledger balances, to prepare financial
reports and to correct transaction errors or lost data.

c. Controls over output – designed to provide reasonable assurance that:

 Results of processing are accurate.
 Access to output is restricted to authorized personnel.
 Output is provided to appropriate authorized personnel on a timely basis.

The following controls are frequently used to maintain the integrity of processing:
 Control total – are compared with those computed prior to processing to ensure
completeness of information.
 Limiting the quantity of output and total processing time

REVIEW OF CIS CONTROLS – general CIS controls that relate to some or all applications
are typically interdependent controls in that their operation is often essential to the
e ectiveness of CIS application controls. Also, the general CIS controls may have a
pervasive e ect on the processing of transactions in application systems.
If these controls are not e ective, there may be a risk that misstatements might occur and
go undetected in the application system. Thus, weakness in general CIS controls may
preclude testing certain CIS application controls. Accordingly, it may be more e icient to
review the design of the general controls first before reviewing the applications controls.
CIS application controls which the auditor may wish to test include:
a. Manual controls exercised by the user.
b. Controls over system output.
c. Programmed controls procedures.