MODULE 1 - OVERVIEW OF AUDITING IN

-​ Planning
→ The auditor should obtain an understanding about the CIS
environment regarding the following:
CIS ENVIRONMENT INFORMATION a.​ Internal control structure
→ The organizational structure of the entity’s CIS
SYSTEM activities and the extent of concentration or
distribution of computer processing and development
-​ Auditing in CIS Environment
→ CIS Environment exists when a computer of any type or throughout the entity, particularly as they may affect
size is involved in the processing by an entity of financial segregation of duties at both the user and CIS
information of significance to the audit, whether that computer personnel levels
is operated by the entity or a third party → Plans by the entity to replace or significantly
change a CIS where these changes will affect the
-​ How CIS Environment affects the audit internal control structure
→ The use of computer has implications for the processing,
storage, and communication of financial information, and b.​ Significance and complexity of the computer
therefore affects the internal control structure employed by the processes
entity → The significance of computer processing in each
●​ CIS roles includes performing controls and significant accounting application. For this purpose
providing information to management to assist them significance relates to materiality of the financial
in controlling the business report assertions affected by the computer processing
●​ Under Manual Information system (MIS), → The complexity of computer processing in each
management tends to require reperformance or significant accounting application. Applications may
review of the system to confirm integrity and be considered complex when, for examples:
consistency BUT under CIS, management assumes ●​ The volume of transactions is such that users
that the computer system works correctly and does would find it difficult to identify and correct errors
not need to be reviewed. Thus effective design, in processing
testing, implementation and ongoing maintenance ●​ the computer automatically generates material
of the system are important factors in its integrity transactions or entries directly to another
→ The CIS environment affects all aspects of the audit application (integrated systems)
including the: ●​ The computer performs complicated
●​ Consideration of inherent risk and control risk computations of financial information and /or
●​ Procedures followed by the auditor to obtain automatically generates material transactions or
sufficient understanding of the internal control entries that may not be (or are not) validated
structure independently
●​ Auditor’s design and performance of audit ●​ Transactions are exchanged electronically with
procedures other organizations

-​ Skills and Competence c.​ Availability of data for use in the audit
→ The auditor should have sufficient knowledge of the CIS to → Source documents, certain computer files, and
plan, direct, supervise, and review the worked performed other evidential matters that may be required by the
→ The auditor should consider whether specialized CIS skills auditor may exist for only a short period or only with
are needed in an audit machine-readable form. An entity’s CIS may generate
→ When using the work performed by a CIS expert, the internal reports that may be useful in performing
auditor should obtain sufficient appropriate audit evidence that substantive tests.
such work will be adequate for the purpose of the audit → The potential for use of computer-assisted audit
→ Specialized skills may be needed to: techniques (CAATs) may permit increased efficiency
●​ Determine the effect of the CIS environment on the in the performance of audit procedures, or may
assessment of overall audit risk and of risk at the enable the auditor to economically apply certain
account balance and class of transaction levels procedures to obtain sufficient appropriate audit
●​ Obtain an understanding of the internal control evidence
structure affected by the CIS environment and its
effect on the business operations of the entity -​ Assessment of Risk
●​ Design and perform appropriate tests of controls → The auditor should make an assessment of inherent and
and substantive procedures control risk for material financial report assertions
●​ Evaluate the results of procedures performed → The effectiveness of the design and operation of a CIS is
dependent on system development and logical access control.
-​ Knowledge of the Business → The design or operation of a CIS may introduce the
→ The auditor should have or obtain a knowledge of the CIS potential risks not present in similar manual systems. The
environment sufficient to enable the auditor to assess its auditor would consider the process by which computer
potential impact on the identification and understanding of the information is produced
events, transactions, and practices that, in the auditor’s ●​ For example, automatically generated sales invoices
judgment, may have a significant effect on the financial report from a price matrix and the extent to which this affects
or audit report audit risk
→ Matters the auditor would ordinarily consider in obtaining → As new CIS technologies emerge, sophistication and
this knowledge include: complexity of CIS increase. As a result, they may increase
●​ The entity’s use of and attitude towards information risk and require further considerations
technology and the effect of this on the nature and → CIS’s facilitate large volumes of information to be
source of system applications. processed without review, based on pre-agreed rules, and
○​ (For example the extent to which the entity reporting a small number of exceptions for manual follow-up.
purchases recognized and proven system ●​ The design of the system therefore becomes
applications or develops systems applications increasingly important to ensure that errors are
in-house or under contract) properly identified by the system.
●​ Usage of CIS by entity compared with general ●​ Where exceptions occur, management needs to
usage within the industry and the local environment implement control procedures to ensure that the
within which the entity operates, and information errors are properly investigated. In these
technology trends, including generally available circumstances, the auditor needs to consider, where
information about CIS usage by competitors and appropriate, the effectiveness of the manual follow-up
trading partners procedures implemented by management.
●​ Recent and planned changes to the entity’s CIS and → The inherent and control risks in a CIS environment may
CIS environment have both a pervasive (inevitable) and an account-specific
○​ For example, outsourcing the CIS department, effect on the likelihood of material misstatement:
changing the technical platform and changing ●​ The risk may result from deficiencies in CIS activities
CIS leadership and business direction that will result in a pervasive effect on ALL application
 systems that are processed on the computer. ○​ The auditor may change the nature of its audit
(Pervasive) procedure like additional emphasis on analytical
○​ Deficiencies in program development, system procedures or perform reperformance of
software support, physical CIS security and calculations
control over access to computer programs will ●​ Where there are less complex calculations but
affect all the operations run in the computer inherent risk has been assessed as high
system ○​ For example: Irregularities resulting to increase in
→ The risks may increase the potential for errors or fraudulent risk of material misstatement-
activities in specific applications, in specific database or ■​ the auditor may design audit procedures to
master files, or in specific processing activities. obtain audit evidence regarding access to
(Account-specific effect) critical functions, particularly by users, and
●​ For example, errors are not uncommon in systems regarding controls which provide for effective
that perform complex logic tasks or calculations, or review and approval.
that must deal with many different exception → Because of the characteristics of a CIS environment, the
conditions. Systems that control cash disbursements nature, timing and extent of audit procedures may differ from
or other liquid assets are more susceptible to those audit procedures conducted in a manual environment.
fraudulent action For example:
→ In making the assessment of inherent and control risks, the ●​ The nature, timing and extent of audit procedures on
auditor would consider such matters as the extent to which: the performance of computer controls and computer
a.​ The client develops and operates their own processes can be restricted to cover the key
applications rather than outsourcing and the use of processes. These tests may be performed using test
established industry and financial packages data. Their effectiveness is subject to:
b.​ Aspects of the entity’s industry or internal ○​ conducting audit procedures which provide audit
environment may affect the development and evidence as to the continuing and consistent
application of controls. operation of specific systems throughout the
●​ For example, competitive pressure to introduce period
EDI may result in the entity using a CIS that is ○​ obtaining an understanding regarding the various
not adequately controlled or performing in alternative processes which contribute to the
accordance with specifications process or control being tested and clearly
c.​ The users have or can grant access to specific defining these
functions or data ○​ Assessing the effect of the key processes being
d.​ Users have the ability to change data and develop affected by other processes or information
reports ●​ the auditor may use the results of audit procedures
e.​ CIS controls affect the reliability of all application conducted in prior periods when the auditor has
systems that are processed on the computer. obtained sufficient appropriate audit evidence that no
●​ Are they applicable to specific applications changes to the CIS environment have been identified
only? → In evaluating the results of audit procedures, Errors
●​ Are they appropriate to the level of risk identified may have a significant effect on the application or
associated with that application? data used in an application.
f.​ The nature and extent of documentation regarding ●​ Thus, the auditor needs to understand the nature of the
the CIS is appropriate given the complexity of CIS error identified and its effect on the nature, timing and
environment , and inherent risks faced by it. extent, and results of audit procedures
g.​ Factors that affect the quality of audit evidence
available
●​ For example, a paperless environment, may
increase the potential for audit evidence to be
incomplete, unreliable or difficult to obtain
h.​ Specific risks associated with a particular CIS
environment are identified
●​ For example, electronic fund transfer systems
where the risk of irregularities may be increased
or a complex CIS environment where the risk of
error may be higher
i.​ End-user computing, which refers to any individual
exercising control over and using particular
resource or more particularly a software application
is used to produce financial information, in particular
where this use may more susceptible to
manipulation
j.​ Users lack the time, discipline or knowledge to
effectively monitor the results of processing

-​ Audit Procedures
→ The auditor should consider the CIS environment in
designing audit procedures to reduce audit risk to an
acceptably low level
●​ The application of audit procedures to gather audit
evidence may be influenced by the methods of
computer processing. The auditor can use either
manuals, CAATs or a combination of both to obtain
sufficient appropriate audit evidence. However,
where an entity uses a computer for processing
significant applications, it may be difficult or
impossible for the auditor to obtain certain data for
inspection, confirmation or inquiry without computer
assistance
→ The identification of the nature and operation of controls
will affect audit risk and its components and therefore the
nature, timing and extent of audit procedures. For examples:
●​ Where there is a complex calculation and
inherent/control risks have been assessed as high:
○​ The auditor may perform test of controls to CIS
controls or to controls that were changed due to
CIS
MODULE 2 - INFORMATION SYSTEM
●​ Image Data- graphic shapes and figures
●​ Audio Data- human voice or other sounds
-​ System ●​ Others – biometric
→ Group of Interrelated components working together to → Criteria of Data resources
achieve a common goal or to perform a task ●​ Comprehensiveness- means that all the data
about the subject are actually present in the
-​ Information System database
→ Information System is a set of interrelated components ●​ Non-redundancy- each individual piece of data
working together to collect, process, store and disseminate exists only once in the database
information to support decision making, coordination, control, ●​ Appropriate Structure- data are stored in such a
analysis and visualization in an organization way as to minimize the cost of expected
processing and storage
a.​ Functional Perspective
→ Information system is a technologically implemented 5.​ Networks- communication media and network support
medium for the purpose of recording, storing and ●​ Telecommunication networks- internet, intranet,
disseminating linguistic expressions as well as for the extranet, computers, communication processors and
support of inference making. other devices interconnected by communications
→ Users point of view while using the system media and controlled by communications software.
b.​ Structural Perspective ○​ Communication media- twisted pair wire,
→ Information System consists of a collection of people, fiber-optic cable, microwave systems and
processes, data, models, technology and partly communication satellite systems
formalized language, forming a cohesive structure which ○​ Network support- includes all of the people,
serves some organizational purpose or function. hardware, software, and data resources that
→ IS are socio-technical which consists of humans, directly support the operation and use of a
behavior rules and conceptual and technical artifacts. communications network

-​ Three Activities in an IS

→ Input captures or collects raw data from within the

organization or from its external environment
→ Processes convert raw data into a more meaningful form -​ Computers and Information System
(information or Output) → Information systems are much more than just computers. It
→ Output is disseminated to people who will use it is not sufficient just to learn about computers, it is also
→ Information system also requires feedback, which output necessary to understand the procedures related to the
that is returned to appropriate members of the organization to systems that you are trying to build
help them evaluate or correct the input stage → Computers are only one part of the complex system that
must be designed, operated and maintained1
-​ Computerized Information System
→ An information system that uses computer technology to -​ Manual VS. Computerized Information System
perform some or all of its intended tasks
→ It varies depending on the size of the company

-​ Components of Information System

1.​ Resources of People – end users, IS specialists, system
analyst programmers, data administrator, etc
●​ End users- people who use an information system or
the information it produces (accountants, engineers,
clerk, customers, etc)
●​ IS Specialists- people who actually develop and
operate information systems (system analysts,
programmers, testers, etc)
○​ System analysts design information systems
based on the information requirements of end
users
2.​ Hardware – physical computer equipment, associate
devices, machines and media
●​ Machines- computers and other equipment along with
all data media, objects on which data is recorded and
saved
●​ Computer Systems- consist of variety of
interconnected peripheral devices -​ Impact of Changes from Manual to Computerized
a.​ Primary Changes
3.​ Software- programs and procedures ●​ Process of recording transactions
●​ System Software- operating system ●​ Form of accounting records
●​ Application Software-programs that direct processing ●​ Use of loose-leaf stationeries
for a particular use of computers by end users ●​ Use of accounting code
●​ Procedures – operating instructions for the people ●​ Absence of link between transaction
who will use the information system
b.​ Recent Changes
4.​ Data- data and knowledge bases ●​ Mainframes are substituted by mini or micro users
●​ Alphanumeric Data- alphabets and numbers ●​ There is a shift from proprietary operating system to
●​ Text Data- sentences and paragraphs more universal ones
●​ Relational Database Management are increasingly
being used
●​ The methodology adopted for systems development is
becoming crucial and Computer Aided Software
Engineering (CASE) tools are being used by many
organizations
●​ End user computing is on the increase resulting in
decentralized data processing
●​ The need for data communication and networking is
increasing
●​ Common business documents are getting replaced by
paperless electronic data interface
●​ Conventional data entry giving way to scanner ,
digitized image processes, voice recognition system,
etc
MODULE 3 - INTERNAL CONTROL IN
●​ Public Key Encryption- uses both public and
private encryption key (sender – public while
receiver- private)
COMPUTERIZED INFORMATION SYSTEM → Wired Equivalency Privacy- encryption method mostly
-​ Internal Control used in wireless networks that uses symmetric encryption
→ Internal Control is the process designed and effected by keys. This method is susceptible to hacking.
those charged with governance, management, and other → Wireless Protected Access- improved encryption
personnel to provide reasonable assurance about the method that can check whether encryption keys have
achievement of the entity’s objectives with regard to financial been tampered with. It authenticates computer and user
reporting, effectiveness and efficiency, and compliance with first before transmitting data
laws and regulations. → Service Set Identifier (SSID)- a password that is
passed between the sending and receiving nodes of a
-​ Reasonable Assurance wireless network.
→ Inherent Limitations → Virtual Private Network (VPN)- employed when
●​ Faulty judgments in decision making employee connects to the system through a public
●​ Consideration of relative costs and benefits network such as internet
●​ Breakdowns because of human failures, simple errors or → Secure Socket Layer-Web-based technology can be
mistakes used to limit access when employees use the Internet.
●​ Controls can be circumvented by collusion of two or more (https: / /)
people
●​ Management override of internal control system d.​ Other network break-ins (2)
→ Break Ins- virus or worm inserted in the system
-​ Components of Internal Control System ●​ Virus- self-replicating price of program code that
●​ Control Environment can attach itself to other programs and data and
●​ Risk Assessment Process perform malicious actions such as deleting files or
●​ Information System and Related business processes shutting down the computer
relevant to financial reporting and communication ●​ Worm-small piece of program code that attaches
●​ Control Activities to the computer’s unused memory space and
●​ Monitoring of Controls replicates it
→ Antivirus Software- continually scans the system for
-​ Control Activities in Computerized Information System viruses and worms and either deleted or quarantined
1.​ General Control- apply overall to IT accounting system, them
they are not restricted to any particular accounting → Long Range Monitoring
application ●​ Vulnerability Assessment – identifies weaknesses
2.​ Application Control- used specifically in accounting of the IT system before it becomes break ins
applications to control inputs, processing and output. ●​ Intrusion Deletion-serves as an alarm when
someone tries to break in with the system
-​ General Controls ●​ Penetration Testing- legitimate attempting to
a.​ Authentication of users (1) break in an IT system to discover weaknesses
→ Log in restrictions- user id and password
●​ User ID- uniform but differentiated e.​ Organizational structure
●​ Password- should consist of at least 8 characters → IT governance committee – suitable for a large IT
and non alphanumeric. Secret but sometimes acts system. It is composed of top executives such as CEO,
can defeat the purpose of password CFO, CIO and heads of business units.
→ Smart Card and Security Token- reduces unauthorized ●​ Align IT system to business strategy
access. Also known as two-factor authentication (user ●​ Budget funds and personnel for the most effective
has and user know) use of the IT systems
→ Biometric Devices – unique physical characteristics of ●​ Oversee and prioritize changes in IT systems
the user (finger print, retina scans, voice recognition and ●​ Develop, monitor, and review IT operational
face recognition) policies
●​ Develop, monitor and review security policies
b.​ Limiting unauthorized access (1) → The manner in which an organization establishes,
→ Computer Log – complete record of all dates, times delegates, and monitors IT system functions
and uses for each user ●​ Functional responsibilities must be properly
●​ Nonrepudiation- user cannot deny any particular segregated (system analyst, programmers,
act that he did on the system operators and database administrator)
●​ Log in of customer
→ User Profile- determine the user’s access levels to f.​ Physical Environment and physical security of the system
hardware, software and data → Physical Security- it limits the physical access to
→ Authority Table – contains the list of valid, authorized computer hardware and software so that malicious acts or
users and the access level granted to each one vandalism do not disrupt the system and data are
→ Configuration table- hardware, software and protected
application programs can only be changed by authorized → Location of the IT system should be in an area that are
users least at risk of disaster, area that properly controls dust ,
temperature and humidity and fire prevention system that
does not use water
→ Uninterruptible Power Supply- to keep the computer
running for several minutes after the power outage
→ Emergency Power Supply-alternative power supply
that provides electrical power when the main source is
lost
→ Limited access to computer rooms
→ Video Surveillance Equipment
c.​ Hacking (2) → Logs of persons entering and exiting the computer
→ Firewall-designed to block unauthorized access rooms
→ Encryption- process of converting data into secret → Locked Storage of backup data and offsite backup
codes referred to as cipher text. Encryption renders the data
data useless to those who do not possess the correct
encryption key g.​ Business Continuity
●​ Symmetric Encryption-uses single encryption key → Business Continuity Planning- a proactive program for
that must be used to encrypt data and decode the considering risks to the continuation of business and
encrypted data (same key for sender and developing plans and procedures to reduce those risks.
receiver) Continuation of the IT system is an integral part of
business continuity.
 ●​ Strategy for backup and restoration of IT system determine whether the value is reasonable.
●​ Disaster Recovery Plan (Pay rate VS Job category code)
→ Backup Strategy ○​ Completeness Check- assesses the critical
●​ Redundant Server- two or more computer network fields in an input screen to make sure that the
or data server that can run identical processes or value is in those fields. It cannot ensure that the
maintain the same data (Redundant arrays of correct value was entered (SSS number)
independent disks RAIDS) ○​ Sign Check- examines a field to determine that
●​ Offsite Backup-additional copy of the backup files it has the appropriate sign (+ or -)
stored in an offsite location ○​ Sequence Check- ensures that the batch of
→ Disaster Recovery Plan- a plan for the continuance of transactions is sorted in order but does not help
the IT system after a disaster. Reactive than proactive. find the missing transactions because it checks
only sequence not completeness
-​ Risks ○​ Self-checking- is an extra digit added to a coded
1.​ Security Risk identification number, determined by a
2.​ Availability Risk mathematical algorithm
3.​ Processing Integrity Risk ○​ Note: Sequence and Self-checking are more
4.​ Confidentiality Risk appropriate for transactions that are processed
in batches.
-​ Control and Risk Matrix → Control totals and reconciliation
●​ Control Total- subtotals of selected fields for an entire
batch of transactions. Computing totals manually and
reconciling it with the computer-generated totals.
○​ Record Counts- simple count of the number of
records processed
○​ Batch Totals- totals of financial data such as total
gross pay
○​ Hash Totals – totals of fields that have no
apparent logical reasons to be added (no practical
use)

-​ Processing Controls
●​ Application software has no error
●​ Some of the input controls also serve as processing
controls: Control Totals, limit and range checks,
reasonableness check, sign check
●​ Run-to-run control totals- reconciliation of control totals at
various stages of the processing
●​ Computer logs of transactions processed, production run
logs, and error listings
●​
-​ Application Controls -​ Output Controls
1.​ Input Controls- intended to ensure the accuracy and → Objectives: (1) ensure the accuracy and completeness of
completeness of data input procedures and the resulting the output and (2) to properly manage the safekeeping of
data output reports to ascertain that security and confidentiality of
2.​ Process Controls- intended to ensure the accuracy and the information is maintained.
completeness of processing that occurs in the accounting → Users can notice if the reports are complete and accurate.
applications Any errors must be logged and corrected.
3.​ Output Controls- intended to help ensure the accuracy, → Output reports containing data that should not fall into the
completeness and security of outputs that result from wrong hands are confidential therefore , an organization must
application processing maintain procedures to protect output from unauthorized
access.
-​ Input Controls → Guidelines as to how reports are stored and length of time
→ GIGO “ Garbage in, Garbage out” they are to be retained
→ Source Document Controls → Sensitive output should be shredded
a.​ Form Design → Most of the outputs are stored in the computer, thus
b.​ Form Authorization and Control authentication controls can help to prevent, detect and control
c.​ Retention of Source Document the access to it.
→ Standard procedures for data preparation and error
handling -​ Ethical Issues
●​ Data Preparation- process of collecting and preparing → Misuse of confidential customer information stored in an IT
source documents system
○​ Which form to use, when to use them, how to use → Theft of data, such as credit card information, by hackers
them and where to route them → Employee use of IT system hardware and software for
○​ Reduce the chance of lost, misuse, misdirected or personal use or personal gain
incorrect data collection from source documents → Using company email to send offensive, threatening, or
●​ Error Handling- logged, investigated, corrected and sexually explicit material
resubmitted for processing
→ Programmed edit checked
●​ Input Validation Check
○​ Field Check-examines the field to determine
whether the appropriate type of data was
entered (either number or letter) (not applicable
for both number and letter) (name or date)
○​ Validity Check-examines the field to ensure that
the data entry in the field is value compared
with a preexisting list of acceptable values (Civil
Status)
○​ Limit Check- check field input against a pre
established limit or limits but only an upper limit
(maximum number of hours, no negative)
○​ Range Check- check field input against a pre
established limit to both upper and lower limit
○​ Reasonableness Check- compares the value in
a field with those fields to which it is related to
MODULE 4 - SPECIFIC CIS
telecommunications where processing and data
storage occur at two or more than one sites. The
main computer and the decentralized units
ENVIRONMENT communicate via communication links. A more
-​ Types of CIS Environment integrated connection occurs with cooperative
1.​ System Configuration processing where the output of its processing is
●​ Computers, processes and devices that compose the sent to another for completion. The system
system and their boundaries. becomes more complex, where operating
2.​ Processing Systems systems to both machines are different
●​ A combination of machines, people, and processes → Source Resources
that for a set of inputs produces a defined set of ●​ Electronic Data Interchange (EDI)- the transfer of
outputs. electronic data from one organization's computer
system to another’s, the data being structured in a
-​ System Configuration commonly agreed format so that it is directly
1.​ Large system computers usable by the receiving organization computer
→ The processing task of multiple users is performed on system. EDI groups who wish to share data
a single centralized computer electronically should have EDI services in order to
→ All inputs more directly from the terminal to central effect the data exchanges. The advantages of EDI
processors and after processing goes back to the users are: paperwork are eliminated, the cost of
from central processors. transaction processing are reduced and reduced
→ All terminals in these systems were called “dumb human involvement reduces error
terminals” as their terminals were not capable of
processing data on their own and casually served only as -​ Processing System
input or output terminals. 1.​ Batch Processing
→ These system have become more efficient and → A large volume of homologous transactions are
sophisticated and in many instances dumb terminals have aggregated and processed periodically. Four steps in
given way to intelligent terminals, allowing data batch processing:
processing at local levels ●​ Occurrence of Transactions- source documents
●​ Recorded in a Transaction file- a batch of source
2.​ Stand alone personal computers is periodically transferred to the data entry
→ One that is not connected to or does not communicate operator to extract information from the source
with other computer system document and enter it into the computer format.
→ Computing is done by an individual at a time Once the data entry is done, the records entered
→ All input data and its processing takes place on the are confirmed with the source document. Source
machine itself documents are still stored for future reference
→ Many small business rely on personal computers for all ●​ Updation of Master file- after data is entered, it is
their accounting functions processed and summarized, the master files are
→ The advantage of stand alone is damage control, when updated
a computer is damaged, other computers will not be ●​ Generation of output- reports are periodically
affected. generated
→ The disadvantages of stand alone are
●​ Users are restricted to one computer 2.​ Online Processing System
●​ Software can not be installed simultaneously → Processing of individual transactions as they occur
●​ Harder to monitor from their point of origin as opposed to accumulating
them into batches. This is possible by direct access
3.​ Network Computing system devices such as magnetic disk and number of terminals
→ A network is a group of interconnected system sharing connected to and controlled by central processors.
services and interacting by shared communication links. Various departments in a company can be connected to
→ All networks have something to share, a transmission the processor by cables. Inquiries are also handled by the
medium and rules for communication. online processing system. Online processing ensures that
→ Networks share hardware and software resources. the records are in a updated status any time but it is
→ Hardware Resources: costly
●​ Client Server- a server in a network is dedicated
to perform specific tasks to support other 3.​ Interactive Processing
computers on the network → A continuous dialogue exists between the user and the
●​ File Server-are network applications that store, computer. It is also called “transaction driven” processing
retrieve, and move data as transactions dealt with completely on an individual
●​ Database server- it provides a powerful facility to basis through all the relevant processing operations
process data before dealing with the next transaction occur and
●​ Message Server- they provide a variety of inquiries to be dealt with on an immediate response basis
communication methods which takes the form of
graphics, digitized audio and video 4.​ Online Real time Processing
●​ Print Server- manages print services on the → Real time- technique of updating files with transaction
network data immediately after the occurrence of the event.
→ Software Resources → Real time systems are basically on-line systems with
a.​ Local Area Network (LAN)- computers located in one speciality in inquiry processing.
a small area can be connected through cables. → The response of the system to the to the inquiry itself
One computer acts as the server, it stores the is used to control the activity
program and data file centrally that can be → The response of real time system is one type of
accessed by other computers forming part of the feedback control system
LAN. → The response time would naturally differ from one
b.​ Wide Area Network (WAN)- networks that employ activity to another
public telecommunications facilities to provide → Real time system usually operates in
users with access to the resources of centrally multiprogramming and multiprocessing which increase
located computers. It uses a public switched both the availability and reliability of the system
telephone network, high speed fiber optic cable, → CPU’s in real time systems should possess the
ratio links or the internet. It uses a modem to capability of “Program Interrupts”. These are temporary
connect computers over telephone lines. Modems stoppage of halts in the execution of a program so that
are used to convert analog signals into digital and more urgent message can be handled on priority
vice versa →https://www.youtube.com/watch?v=2VJLWot9T7Y
→ System Resources
●​ Distributed Data processing- it consists of 5.​ Time Sharing
hardware located at least two geographically → It allows access to a CPU and files through many
distinct sites connected electronically by remote terminals.
 → Multiprogramming is the method of implementing time is also updated and the sales control and sales details are
shared operations. also posted as the sales order is processed
→ In transaction processing, time sharing occurs when a → It contains a set of interrelated master files that are
computer processes transactions of more than one entity integrated in order to reduce data redundancy
→https://www.youtube.com/watch?v=YptksG8h8f8 → Software used to control input processing and output is
referred to as DATABASE MANAGEMENT SYSTEM
6.​ Service Bureau which handles the storage, retrieval, updating and
→ It is a company that processes transactions for other maintenance of the data in the database
entities. → This is commonly associated with online real time
→ It handles computer processing for small companies system and pose the greatest challenge to the auditors
that singly do not have sufficient transactions to justify the → Controls within these systems are harder to test and
acquisition of a computer assess due to danger of file destruction
→ Files may be physically stored on disk in the following
a.​ Decision Support System way:
→ System that solving provided tools to managers to ●​ Sequentially records are physically ordered by
assist them in soloing semi-structures and an some fields (employee number)
unstructured problem ●​ Randomly records are stored at a physical
→ It is not intended to make decisions for manager, address computed by an algorithm working on a
but rather to provide managers with a set of field value
capabilities that enables them to generate information ●​ Indexed records are physically stored randomly
that is required by them for decision making with a sequentially ordered index field (by
→ It supports the human decision making process customer) and a pointer to the physical location of
rather than providing a means to replace it each record
→ DSS is characterized by: ●​ Indexed Sequential records are physically stored
●​ It support semi-structured or unstructured sequentially ordered by some field together with
decision making an index which provides access by some possibly
●​ It is flexible enough to respond to the other field
changing need of decision makers ●​ https://www.youtube.com/watch?v=lDpB9zF8LBw
●​ It is easy to operate
→ Components of DSS:
●​ Users- represent managers at any given level
of authority in the organization
●​ Database- contains routine and nonroutine
data from internal and external sources
●​ Model Base- is the brain of the decision
support system because it performa data
manipulations and computations with the data
provided by the user and database
●​ https://www.youtube.com/watch?v=siMgr-Pw
XaI
b.​ Expert System
→ A computerized information system that allows
nonexperts to make decision comparable to that of an
expert
→ Used for complex or ill structured tasks that require
experience and special knowledge in s specific
subject areas
→ Components:
●​ Knowledge base- includes data, knowledge,
relationship, rules of thumb to and decision
rules used by experts to solve a particular
type of problem. It is the computer equivalent
of all the knowledge and insight that an expert
or a group of experts develop through the
years of experience in their field
●​ Inference Engine- a program that contains the
logic and reasoning mechanisms that
stimulate the expert system logic process and
deliver advice. It uses data obtained from both
the knowledge base and the user to make
associations and inference, forms its
conclusion and recommends a course of
action
●​ User interface- programs that allows the user to
design, create, update, use and communicate
with the expert system
●​ Explanation Facility- facility that provides the
user with an explanation of the logic the expert
system use to arrive
●​ Knowledge acquisition facility- building a
knowledge base involves both a human expert
and a knowledge engineer. The knowledge
engineer is responsible for extracting an
individual's expertise and using the knowledge
acquisition facility to enter into a knowledge
base
●​ https://www.youtube.com/watch?v=11nzrNkn9
D8

7.​ Integrated File System

→ Systems that update many files simultaneously as a
transaction is processed.
→ Processing of a sales order updates the accounts
receivable control accounts and related subsidiary ledger
MODULE 5 - AUDIT APPROACHES IN A
○​ Assess segregation of duties between staff functions that
involves in transaction processing and the computerized
system and ensuring that adequate supervision of
CIS ENVIRONMENT personnel is administered
●​The process of auditing is not straight forward but involves
-​ The Black Box Approach application of knowledge and expertise to differing
circumstances
●​The auditors need not only have adequate knowledge
regarding information requirements and computer data but
also must be exposed to system analysis and design so as to
facilitate post implementation audit.

-​ Effects of Computers on Internal Controls

1.​ Segregation of Duties- there are functions that are
considered as incompatible in a manual system but were
carried out with the same person in a computerized
system. In a small computerized environment, this will be
more difficult especially in determining whether
incompatible function have been performed by the system
users
●​Auditing around the computer 2.​ Delegation of authority and responsibility- a clean line of
●​Concentrates on input and output and ignores how computer authority and responsibility might be difficult to establish
process the data transactions because some resources are shared among multiple
●​If input matches the output, the auditor simply assumes that users. It may eliminate redundancy of data but results in
the processing of transaction must have been correct multiple users that might violate the integrity of the data.
●​Advantages: Tracing who is responsible for corrupting data will also be
○​ Make more comparisons if done manually difficult
○​ Ease of comprehension (no need to understand the 3.​ Competent and Trustworthy personnel- skilled,
application program) competent, well-trained and experienced information
●​Disadvantages: system personnel have been in short supply which forced
○​ Auditor not having directly tested the control, cannot make many organization to compromise on their choice of staff
assertions about the underlying process 4.​ System of Authorization- authorization procedures are
○​ More complex computer systems intermediate printout embedded within a computer program which makes it
may not be available for making the needed comparisons difficult to assess whether the authority assigned to
individual persons are consistent with management
-​ The White Box Approach policies.
5.​ Adequate Documents and records- in a computerized
system, document support might not be necessary to
initiate, execute and record some transactions thus losing
some audit trail. This won't be a problem to auditors if the
system is well-designed to maintain a record of all events
and that they can easily be accessed.
6.​ Physical control over assets and records- information
system assets and records are distinct to computerized
information system, this assets and records can be easily
destroyed through abuse or disaster thus back-up must
be present
7.​ Adequate Management Supervision- supervisory controls
must be built into the computer system. Because many
activities are electronically controlled, managers must
periodically access the audit trail of employees and
examine it for unauthorized actions
●​Unlike Black box, processing and controls are also subjected 8.​ Independent Checks on performance- independent
to audit checks on the performance of programs often have little
●​To help the auditor to gain access to processes, computer value thus the control emphasis must be on ensuring the
audit software may be used accuracy of program code
●​These softwares may include: 9.​ Comparing recorded accountability with assets- count and
○​ Interactive inquiry facilities to interrogate files recorded asset may not reconcile and that irregularities
○​ Facilities to analyze computer security logs for unusual may not be discovered because segregation of duties are
usage of the computer not practiced in computer system
○​ The ability to compare source and object program codes
in order to detect dissimilarties -​ Effects of Computers on Auditing
○​ The facility to execute and observe the computer ●​Objective- to provide an independent opinion as to the
treatment of “live transaction” by moving through the fairness of Financial statements of an entity.
processing as it occurs ●​To achieve that objective, an auditor needs
○​ The generation of test data ●​to collect and evaluate evidences
○​ The actual controls and the higher level control will be ●​Effects on the collection and evaluation of
evaluated and then subjected to compliance testing and ●​evidence:
substantive testing before an audit report is produced ○​ Changes to evidence collection
●​In order to follow this approach, the auditor needs to have ○​ Changes to evidence evaluation
sufficient knowledge of computers plan, direct-supervise and
review the work performed -​ Changes to Evidence Collection
●​The areas covered in an audit will concentrate on the ●​Collecting evidence in computerized system is more diverse
following controls: and complex than in manual system
○​ Input controls ●​Test of controls become more crucial because of technicality
○​ Processing controls ●​Some Substantive Tests applicable in manual systems may
○​ Storage controls no longer be applicable on computerized systems (Inquiry,
○​ Output control Inspection, observation, reperformance, analytical
○​ Data transmission control procedures, and etc.)
●​The auditor also need to: ●​Test of controls- how would you know if the controls are
○​ Assess whether the system has adequate controls over effective ?
the prevention of unauthorized access to computer and ●​Auditors need to understand:
computerized database ○​ Whether a control is functioning reliably or
multi-functioning
 ○​ Traceability of control strength and weaknesses through
the system (a single data may be used by multiple users)
●​Start with the computer program

-​ Auditing in a CIS Environment

●​The use of computers changes the processing, storage,
retrieval and communication of financial information that
affects accounting the internal control system employed by
the entity.
●​The auditor should consider the effect of the factors:
○​ The extent of use of computers for preparing
accounting information
○​ Efficacy of internal controls over input, processing
, analysis and reporting undertaken in the CIS
installation
○​ The impact of computerization on the audit trail
that could otherwise be expected to exists in a
manual system

1.​ Skill and Competence- an auditor should have

sufficient knowledge of the CIS to plan, direct,
supervise, control and review the work performed
(experts)
2.​ Planning- the auditor should obtain understanding of
the significance and complexity of the CIS activities
and the availability of the data for use in the audit.
Auditor’s understanding would include:
○​ › CIS infrastructure including the changes since
last audit
○​ › Significance and complexity of computerized
processing in each
○​ significant accounting application
○​ › Determination of the organizational structure of
the client
○​ › Determination of extent of availability of data by
reference to source documents, computer files
and other evidential matters.
3.​ Risk- auditor should assess whether CIS may
influence the assessment of inherent and control
risks. The nature of the risks and the internal control
system include the following:
○​ Lack of transaction trails- detection risk increases
○​ Uniform processing of transactions- inherent risk
decreases
○​ Lack of segregation of duties- risk increases
○​ Potential for errors and irregularities- risk
increases
○​ Initiation or execution of transactions- risk
increases
○​ Dependence of other controls over computer
processing
○​ Increased management supervision- risk
decreases
○​ Use of computer assisted audit techniques
(CAATs)
4.​ Risk Assessment – assessment of inherent and
control risk for material financial statement assertions
○​ Risk may result from deficiencies in: program
development and maintenance
■​ System software support
■​ Operations
■​ Physical CIS security
■​ Control over access to specialized utility
programs
○​ These deficiencies would tend to have negative
impact on all application systems creating errors
and fraudulent activities
5.​ Documentation- the auditor should document the
audit plan, the nature, timing and extent of audit
procedures, and the conclusions drawn from the
evidence obtained. (evidence must be sufficient and
appropriate)
MODULE 6 - COMPUTER ASSISTED
-​ Impracticability of Manual Tests
→ Some audit procedures may not be possible to perform
manually because they rely on complex processing or involve
AUDIT TECHNIQUES amounts of data that would overwhelm any manual procedure
-​ CAATS → Many computer information systems perform tasks for which no
→ Computer programs and data that the auditor uses as part of hard copy evidence is available and, therefore, it may be
the audit procedures to process data of audit significance impracticable for the auditors to perform tests manually. The lack
→ It allows auditors to give access to data without dependence on of hard copy evidence may occur at different stages in the
the client, test the reliability of client software, and perform audit business cycle
tests more efficiently.
→ Uses of CAATS -​ Effectiveness and Efficiency
1.​ Tests of details of transactions and balances → CAATs are often an efficient means of testing a large number of
2.​ Analytical procedures transactions or controls over large populations by:
3.​ Test of general controls a.​ analyzing and selecting samples from a large volume of
4.​ Sampling programs to extract data for audit testing transactions;
5.​ Test of application controls b.​ applying analytical procedures; and
6.​ Reperforming calculations c.​ performing substantive procedures
→ CAATS may consists of: → Matters relating to efficiency that auditors might consider
●​ Package programs include:
○​Generalized computer programs designed to perform a.​ the time taken to plan, design, execute, and evaluate a
data processing functions such as: CAAT;
■​Reading data b.​ technical review and assistance hours;
■​Selecting and analyzing information c.​ designing and printing of forms (for example,
■​Performing calculations confirmations); and
■​Creating data files d.​ availability of computer resources
■​Reporting in a format specified by the auditor
●​ Purpose-written programs -​ Time Constraints
○​Perform audit tasks in specific circumstances → Certain data, such as transaction details, are often kept for only
○​These programs may be developed by auditor, the a short time, and may not be available in machine-readable form
entity being audited or an outside programmer hired by by the time the auditors want them
the auditor → The auditors will need to make arrangements for the retention
○​The auditor may use the entity’s existing programs in of data required, or may need to alter the timing of the work that
their original or modified state because it may be more requires such data
efficient than developing independent programs → Where the time available to perform an audit is limited, the
●​ Utility programs auditors may plan to use a CAAT because its use will meet the
○​Used by an entity to perform common data processing auditors' time requirement better than other possible procedures
functions, such as sorting, creating and printing files
○​These programs are generally not designed for audit -​ Major Steps in the Application of CAATS
purposes, and therefore may not contain features such 1.​ Set the objective of CAAT application
as automatic records counts and control totals 2.​ Determine the content and accessibility of the entity’s files
●​ System management programs 3.​ Identify the specific files or databases to be examined
○​Enhanced productivity tools that are typically part of a 4.​ Understand the relationship between the data tables where
sophisticated operating systems environment a database is to be examined
○​Examples: Data retrieval software or code comparison 5.​ Define the specific tests and related transactions and
software balances affected
○​Like utility programs, these are also not designed for 6.​ Define the output requirements
auditing 7.​ Arrange with the user and IT departments, if appropriate, for
copies or relevant files or database tables to be made at the
-​ Considerations in the Use of CAATS appropriate cut off date and time
1.​ IT Knowledge, Expertise and Experience of the Audit 8.​ Identify the personnel who may participate in the design and
Team application of CAAT
2.​ Availability of CAATS and Suitable Computer Facilities 9.​ Refine the estimates of costs and benefits
3.​ Impracticability of Manual Tests 10.​ Ensure that the use of CAAT is properly controlled
4.​ Effectiveness and Efficiency 11.​ Arrange the administrative activities, including the
5.​ Time Constraints necessary skills and computer facilities
12.​ Reconcile data to be used for CAAT with the accounting
-​ IT Knowledge, Expertise and Experience of the Audit Team and other records
→ Auditing in a CIS environment deals with the level of skill and 13.​ Execute CAAT application
competence the audit team needs to conduct an audit in CIS 14.​ Evaluate the results
environment 15.​ Document CAATs to be used including objectives, high level
→ It provides guidance when an auditor delegated work to flow charts and run instructions
assistants with CIS skills or when the auditor uses work performed 16.​ Assess the effect of changes to programs on the use of
by other auditors or experts with such skills, specifically, the audit CAAT
team should have sufficient knowledge to plan, execute and use
the results of the CAATs adopted -​ Testing CAATS
→ The level of skill and competence required by the → The auditor should obtain reasonable assurance of the
audit team to conduct an audit in a CIS environment integrity, reliability, usefulness and security of CAAT through
is addressed in auditing in a CIS environment appropriate planning, design, testing, processing, and review of
→ The level of knowledge required depends on documentation. (should be done prior to reliance upon CAAT)
availability of CAATs and suitable computer → The nature, timing and extent of testing is dependent on the
facilities commercial availability and stability of CAAT

-​ Availability of CAATS and Suitable Computer Facilities -​ Controlling CAAT Application

→ The auditor may plan to use other computer facilities when the → In establishing control, the auditor considers the need to:
use of CAATs on an entity’s computer is uneconomical or ●​Approve specifications and conduct a review of the work to
impractical (incompatible facility and package programs) be performed by CAAT
→ The auditor may elect to use their own facilities ●​Review the entity’s general controls that may contribute to
→ The cooperations of the entity’s personnel may be required to the integrity of CAAT
provide processing facilities at a convinient time, to assist with ●​Ensure appropriate integration of the output by the auditor
activities into the audit process
-​ Procedures Carried Out by the Auditor to Control CAATS
Application
●​Participating in the design and testing of CAAT
●​Checking the coding of the program to ensure that it conforms
with the detailed program specifications
●​Asking the entity’s staff to review the operating system
instructions to ensure that the software will run in the entity’s
computer installation
●​Running the audit software on small test files before running it
on the main data files
●​Checking whether the correct files were used
●​Obtaining evidence that the audit software functioned as
planned
●​Establishing appropriate security measures to safeguard the
integrity and confidentiality of the data
NOTE: When the auditor intends to perform audit procedures
concurrently with online processing, the auditor reviews those
procedures with appropriate client personnel and obtains approval
before conducting the tests to help avoid the inadvertent corruption
of client records. The presence of the auditor is not necessarily
required at the computer facility during the running of CAAT

MODULE 6 - E-COMMERCE AND

AUDITING NEW TECHNOLOGIES
-​ Audit of E-commerce
→ E-commerce, also known as Electronic Commerce, refers to
the buying and selling of goods or services using the internet, and
the transfer of money and data to execute these transactions.
Under this system, customers are required to put their personal
information to proceed to their transactions. This increases the
risk of both technology and moral hazard. This information of
customers may be used by hackers to perform unauthorized
transactions. An example of this fraudulent act is when someone
uses, without the consent of the owner, the name and address of
Customer to order foods in food panda also known as Bogus
Buyer.
→ Companies, whose transactions are mainly done in websites or
applications, should periodically audit their websites specially its
controls to ensure the reliability of information entered by
customers, security of personal information of customers and the
like
→ The risks for E-commerce include both technology risk and
moral hazard. Technology risks are the risk from hackers, peep,
structural defects in information infrastructure and drawbacks of
the information system for companies. Moral Hazard is comprised
of repudiation, fake web pages, privacy violation and accuracy of
information

-​ Auditing New Technology

→ Emerging technologies can provide great benefits for
businesses but it can also result in risks. The auditors, in
assessing the risk and controls, should focus on the following:
●​ Auditors should gain a holistic understanding of changes
in the industry and the information technology
environment to effectively evaluate management’s
process for initiating, processing, and recording
transactions and then design appropriate auditing
procedures.
●​ Auditors, as appropriate, should consider risks resulting
from the implementation of new technologies and how
those risks may differ from those that arise from more
traditional, legacy systems. Auditors should be aware
risks can arise due to program or application-specific
circumstances.
●​ Auditors should consider whether specialized skills are
necessary to determine the impact of new technologies
and to assist in the risk assessment and understanding of
the design, implementation, and operating effectiveness
of controls. If specialized skills are considered
appropriate, auditors may seek the involvement of a
subject matter expert. Auditors also should obtain a
sufficient understanding of the expert’s field of expertise
to evaluate the adequacy of the work for that auditor’s
purposes.