Audits in the CIS Environment

First of all, let’s define what is meant by CIS. According to what I’ve searched in relation to
auditing, CIS usually means Computer Information Systems. It refers to using technology and computer
systems to handle, store, and retrieve financial and business information.

Comparing and Contrasting Manual and Computerized Audits

Both manual and computerized audits aim to ensure the integrity and reliability of financial and
operational processes. They involve verifying transactions, assessing controls, and ensuring compliance
with regulations. However, they differ in their methods and tools.

Manual audits rely on physical records and human effort, making them more suitable for non-
digital environments or smaller organizations. In contrast, computerized audits use technology to
analyze data, making them faster and more effective for handling large, complex systems.

The key differences between manual and computerized audits lie in their efficiency, scalability,
and accuracy. Manual audits are labor-intensive and prone to errors, whereas computerized audits are
efficient and consistent. However, manual audits excel in scenarios where qualitative judgment is
required or when systems lack digital infrastructure. On the other hand, computerized audits thrive in
modern, automated environments, but they require technical skills and are vulnerable to technological
risks.

The Effect of CIS On Internal Control

The rise of Computer Information Systems (CIS) has greatly impacted internal controls in
organizations, improving efficiency, security, and accountability. From my experience, CIS enhances
automation, reducing human error in tasks like transaction processing and data entry. It also enables
real-time monitoring to detect fraud or discrepancies quickly, while centralized databases make data
more consistent and accessible, simplifying audits.

CIS also strengthens security through features like user authentication, data encryption, and
access controls, which protect sensitive information from unauthorized access. However, the complexity
of modern IT systems poses challenges, such as risks from system failures or cyberattacks, requiring
constant updates to security measures.
 In conclusion, while CIS improves internal controls, it introduces new risks. Organizations must
implement strong controls and regularly audit their systems to maintain integrity and adapt to evolving
security threats.

Different Approaches to CIS Audits

There are several approaches to CIS audits:

Auditing Around the Computer: This approach focuses on verifying the inputs and outputs of a system
without examining its internal processes. Auditors check if the results are accurate based on the data
entered, without assessing the system’s logic.

Auditing Through the Computer: In this approach, auditors examine the internal workings of the system,
including its processes, controls, and data flows, to ensure proper functioning and compliance.

Integrated Auditing: This combines both auditing around and through the computer. It involves
reviewing both system outputs and the internal processes, using automated tools and techniques to
assess system controls and data integrity.

ESSENTIAL PART OF THE TOPIC:

Types of Computer Systems

Transaction Processing Systems (TPS)

These systems handle day-to-day business operations by processing transactions such as sales,
payroll, and inventory management.

Examples: Point of Sale (POS) systems, accounting software.

2. Management Information Systems (MIS)

To provide managers with reports and tools to support decision-making. It focuses on

Examples: Business intelligence dashboards, financial reporting tools.

3. Decision Support Systems (DSS)

Interactive systems used for problem-solving and decision-making. It often includes data
modeling, "what-if" analysis, and predictive analytics.

Examples: Budgeting software, forecasting tools, supply chain analytics.

4. Enterprise Resource Planning (ERP) Systems

Integrated systems that manage core business processes like finance, HR, manufacturing, and
supply chain in one platform.
 Examples: SAP, Oracle, Microsoft Dynamics.

5. Customer Relationship Management (CRM) Systems

Systems that manage customer data, interactions, and relationships.

Often used in marketing, sales, and customer support.

Examples: Salesforce, HubSpot

6. Specialized Application Systems

Systems designed for specific industries or business needs.

Examples: Healthcare management systems, banking software, or logistics platforms.

7. Cloud-Based Systems

Systems hosted online, accessible via the internet, and managed by third-party providers.

Examples: Google Workspace, Amazon Web Services (AWS) platforms.

8. Embedded Systems

Systems built into hardware devices to perform specific functions.

Examples: Manufacturing automation systems.

9. Database Management Systems (DBMS)

Systems that store and manage data for access by other applications or users.

Examples: SQL Server, Oracle Database.

10. Networked Systems

Systems connected through local or wide-area networks to facilitate communication and

Examples: Intranets, VPNs, and cloud networks.

Batch and Real-time Processing

In a CIS audit, batch processing and real-time processing refer to how data is handled within computer
systems.

Batch Processing

Definition: Data is collected, grouped, and processed at a scheduled time or in large batches, not
immediately after each transaction.

Example: Payroll systems that process employee salaries at the end of a pay period.
 Audit Focus: Ensuring the accuracy and completeness of data in the batch, verifying controls like
error handling and reconciliation.

Real-Time Processing

Definition: Data is processed immediately as transactions occur, providing instant updates to

Example: ATM withdrawals or online banking transactions.

Audit Focus: Ensuring real-time systems process data accurately, maintaining data integrity, and
implementing proper access controls to prevent fraud or errors.

General and Application Controls

General controls- apply to the overall IT environment and ensure all systems function properly. They
include access controls to allow only authorized users (e.g., passwords and multi-factor authentication),
change management to oversee and approve system updates, and data backup and recovery to protect
against data loss. Physical security safeguards IT equipment from unauthorized access or damage, while
IT governance ensures IT operations align with business goals through proper policies and procedures.

Audit Focus:

-Verifying that general controls prevent unauthorized access, maintain data integrity, and
support system availability.

-Assessing the effectiveness of backup, disaster recovery, and incident response processes.

Application Controls- as what I have learned, it focuses on specific software or systems to ensure data is
accurate, complete, and properly processed. These include input controls to check data accuracy during
entry, processing controls to ensure correct handling of data, and output controls to verify accurate and
complete reports. Authorization controls ensure only approved transactions are processed, while
integrity controls protect data from corruption or errors during storage and processing.

Audit Focus:

-Evaluating whether application controls ensure data is entered, processed, and output
accurately.

-Reviewing the alignment of application controls with organizational policies and user
requirements.

Key Difference

General Controls: Broad, system-wide; focus on the IT environment and its overall governance.
 Application Controls: Specific, transaction-focused; ensure the accuracy of data within particular
applications.

In the Computer Information Systems (CIS) audit environment, the methodologies used to
evaluate the integrity, security, and accuracy of IT systems are critical. Two common approaches are
auditing around the computer and auditing through the computer. These methods differ in their focus,
scope, and depth of analysis, but both aim to assess the reliability of systems in supporting financial and
operational processes.

Auditing Around the Computer

Auditing around the computer involves evaluating the inputs and outputs of a system without
examining its internal processes or logic. In this approach, the auditor focuses on verifying that the data
entered into the system (inputs) aligns with the results produced (outputs). The underlying assumption
is that if the outputs are accurate and consistent with the inputs, the system's processing can be trusted.

For example, an auditor may review employee timesheets (inputs) and compare them to payroll
reports (outputs) to confirm that salaries are calculated correctly. However, this method does not
involve checking the software's algorithms, controls, or logic that processes the data.

While auditing around the computer is straightforward and less time-consuming, it has limitations. It
may fail to detect errors or fraud within the system’s processing logic, making it less suitable for
complex or highly automated environments. As a result, this approach is often used when the system’s
reliability is already well-established or when resources are limited.

Auditing Through the Computer

In contrast, auditing through the computer involves a deeper analysis of the system's internal
workings, including its processing logic, controls, and data flows. The auditor examines how data is
processed within the system to ensure accuracy, completeness, and compliance with established
controls.

This method often includes using tools like test data, which is input into the system to observe
how it processes transactions. Additionally, auditors may use embedded audit modules, specialized
software, or system walkthroughs to evaluate the system’s performance and identify potential
weaknesses.

For example, in a financial system, the auditor may test how the system handles unusual
transactions or how access controls prevent unauthorized changes to financial records. This approach
provides a more comprehensive understanding of the system's reliability and is particularly effective for
modern, automated environments where significant data processing occurs within the system.