Auditing in a CIS Environment Part 1 PDF

**AUDITING IN A CIS ENVIRONMENT PART 1** I. **INTRODUCTION** Business organizations are now operating in a fast-evolving digital era. Through the internet and digitization, the level and pace of the business world have been continuously increasing. With this, organizations strive to cope with the challenges that this period brings. It has required various changes in how businesses operate and even pushed for reinventing business models and structures. Through the help of computers, large volumes of transactions can now be accounted for in an instant and several accounting processes are streamlined. During this period of constant transformation, the financial reporting needs of investors and stakeholders also change. As these improvements emerge, transformations in audit execution are likewise necessary. II. **THE INFORMATION TECHNOLOGY (IT) ENVIRONMENT** The **information technology (IT) environment** refers to the IT applications and supporting IT infrastructure, as well as the IT processes and personnel involved in those processes, that an entity uses to support business operations and achieve business strategies. - An **IT application** is a program or a set of programs that are used in the initiation, processing, recording, and reporting of transactions or information. IT applications include data warehouses and report writers. - The **IT infrastructure** comprises the network, operating systems, and databases and their related hardware and software. - The I**T processes** are the entity\'s processes to manage access to the IT environment, manage program changes or changes to the IT environment and manage IT operations. Other terms used to refer to this environment include \"**Electronic Data Processing (EDP) environment**\" and \"**Computer Information Systems (CIS) Environment**\". At present, countless entities already incorporate and rely on the use of IT in their business model. As an example, IT allows entities to sell their products through online shops where sales transactions are initiated and processed in an IT environment. IT also made it possible for merchandising or manufacturing entities to monitor and track their inventory levels through the use of an advanced inventory management system. Through the use of IT, entities can attain their business objectives in a more streamlined manner. However, its use also exposes the entity to business risks that lead to risks of material misstatement (RoMM) of the financial statements. As such, auditors must consider the entity\'s IT environment in planning and performing the audit engagement. III. **IT INFRASTRUCTURE** As presented in Exhibit 1, the IT infrastructure serves as the foundation of the IT environment. It includes all the hardware, software, networks, and facilities that are necessary to perform the IT services. Its major components are as follows: - **Database System** - A database is an organized data collection that is stored and accessed electronically. The database system enables data synchronization by maintaining one copy of important records locked in an organized file system (i.e. database) which is shared by various users without the necessity of maintaining a copy of the file for themselves. This type of system eliminates data redundancy. Current systems entrust the responsibility of database maintenance and control to a database administrator. - **Operating system** - The software that controls computer hardware and supports its basic functions. It is loaded in the data storage of the computer and is available for use upon completion of the startup of the computer (i.e. boot or initial program load (IPL) process). - **Networks** - Comprised of two or more computers that are linked to facilitate sharing of computer devices, application software, exchange of files, and voice and video transmissions. Linkages can be done through cables, satellites, and telephone lines. Types of networks classified by geographical scope: a. **Local Area Network (LAN)** - communication networks that allow resources, data, and program sharing within a limited geographical area. b. **Wide Area Network (WAN)** - computer networks that span over a large geographical area. c. **National Area Network (NAN)** - covering an entire country d. **Internet** - covering the globe a. **Distributed Data Processing** - sharing of information and programs by large numbers of users. This setup calls for computer security because of wider risk exposure of unwanted access. b. **Electronic Data Interchange** - the use of telecommunication links (cable wire, radio, fiber optics, microwave, laser, and other electromagnetic transmissions) to exchange business data. This significantly reduces the audit trail. IV. **THE COMPUTER AND ITS COMPONENTS** The IT infrastructure involves the use of a computer. A **computer** is a programmable electronic device that can store, retrieve and process data. Computers come in various types and sizes but they all share the same two basic components which are (1) Hardware and (2) Software components. 1. **Computer Hardware** Hardware is the physical devices or equipment used to accomplish data processing functions. Hardware devices include the (a) Central Processing Unit, (b) Input devices, (c) Output devices and, (d) Data Storage. a. **Central Processing Unit (CPU)** - The CPU serves as the brain of the computer. It is the principal hardware component and processes programs of instructions for manipulating data. It has the following units: - **Control unit** - interpreter of program codes that will manipulate the data - **Storage unit** - data retention unit - **Arithmetic and Logic Unit (ALU)** - performs arithmetic and logic functions As storage support to the CPU, secondary storage devices are also present in the CPU. Secondary storage devices may be categorized based on their method of access or type. Method of Access: 1. **Random** - data can be easily accessed directly regardless of how it is physically stored (e.g. magnetic disk) 2. **Sequential** - data must be processed in the order in which it is physically stored (e.g. magnetic tape, cartridges) 1. **Magnetic tape** - primary medium for backing up random-access disk files and considered to be the cheapest type of storage available 2. **Magnetic disks** - include CDs (mainframe) and hard disks or (microcomputers) drives 3. **Redundant array of independent disks (RAID)** - a way of storing the same data redundantly on multiple magnetic disks to minimize the likelihood of loss of data 4. **Compact disks, floppy disks, and zip disks** 5. **Optical disks** - use laser technology to store and read data b. **Input devices** - This component serves as an entry channel to transmit data to the CPU for processing. It functions as a converter of information into a machine-readable form. - Keying data - **Key to tape** and **key to disk** in which data can be entered directly on tapes and disks respectively through a cathode ray tube (CRT), and then read into a computer. - Online entry i. Visual display terminal (uses the keyboard to directly enter data into the computer) 1. Input interface - a program that controls the display for the user (usually on a computer monitor) and that allows the user to interact with the system 2. Graphical user interface - uses icons, pictures, and menus instead of text inputs (e.g. Windows) 3. Command line interface - uses text-type commands ii. Mouse, joystick, light pens iii. Touch-sensitive screens - allow users to enter data from a menu of items by touching the surface of the monitor - Turnaround documents - documents that are sent to customers and returned as inputs (e.g. Utility Bills) - Automated source data input devices i. **Magnetic tape reader** - a device capable of sensing information recorded as magnetic spots on magnetic tape. This device can also be used as an output device and storage medium. ii. **Magnetic ink character reader (MICR)** - a device that reads character by scanning temporarily magnetized characters using magnetic ink (e.g. bank check readers) iii. **Optical character recognition (scanner)** - a device that reads characters directly from documents based on their shapes and positions on the source document iv. Cathode Ray Tube (CRT) a typewriter-like device that decodes keystrokes into electronic impulses iv. **Automated teller machines (ATM)** - a machine used to execute and record transactions with financial institutions v. **Point-of-sale (POS) recorders** - a terminal connected to a computer connected. It takes the place of a cash register or similar device which allows instant recording of transactions and is capable of keeping perpetual inventory. vi. **Voice recognition** - a system that understands spoken words and transmits them into a computer c. **Output devices** - devices translate processed data into forms understandable by users. Examples include monitors, printers, plotters, and computer output to microfilm or microfiche (COM). d. **Data Storage** - This component serves as the warehouse of data processed by the computer such as a hard disk. This storage can either be fixed or removable. 2. **Computer Software** This component consists of sets of instructions (programs) that direct, control and coordinates the operation of the hardware components. Presented below are the types of this software: a. **Systems software** - **Operating system** - is a group of computer programs that monitor and control all the input, output, processing, and storage devices and operations of a computer (e.g. DOS, Windows, Linux, Mac, etc.). It controls the functioning of the CPU and other peripheral equipment. - **Utility (user) programs** - handle the common file, data manipulation, and \"housekeeping\" tasks. It performs commonly required processes such as sorting and merging. - **Communication Software** - controls and supports transmission between computers, computers, and monitors, and accesses various databases. b. **Application software (also known as \'apps\')** is written by programming languages such as Turbo C, Assembly, Java, Visual Basic, and COBOL. These are programs designed for specific uses or desired processing tasks such as payroll preparation, word processing, graphics, database systems, and accounting software. c. **Database management system (DBMS)** - a software package for the purpose of creating, accessing, and maintaining a database d. **Source program** - a program written in a language from which statements are translated into machine language e. **Object program** - converted source program that was changed using a compiler to create a set of machine-readable instructions f. **Compiler** - produces a machine language object program from a source program language g. **Interpreter** - converts each source code instruction to object code each time it is executed h. **Virtual memory (storage)** - online secondary memory that is used as an extension of primary memory, thus giving the appearance of larger, virtually unlimited internal memory **Types of Computers** 1. **Supercomputers** - extremely powerful, high-speed computers for extremely high volume and/or complex processing needs 2. **Mainframe computers** - large, powerful, high-speed computers 3. **Minicomputers** - while large and powerful, they are not as large or as powerful as mainframe computers 4. **Microcomputers** - small computers, such as personal computers and laptops 5. **Personal digital assistants** - mobile, handheld computers **Computer vs. Computer Systems** 1. **Management reporting system** - designed to help with the decision- making process by providing access to computer data a. **Decision support system** - computer-based information systems that combine models and data to resolve non-structured problems with extensive user involvement b. **Executive information system** - computerized systems that are specifically designed to support executive work c. **Expert system** - computer systems that apply reasoning methods to data in a specific relatively structured area to render advice or recommendations d. **Management information system** - systems designed to provide past, present, and future information for planning, organizing, and controlling the operations of the organization 2. **Transaction processing system** - involves the daily processing of transactions V. **IT APPLICATIONS** IT Applications or software applications are programs designed for specific end- user purposes. For purposes of the audit, emphasis is placed on financial accounting applications. These applications are used in the initiation, processing, recording, and reporting of transactions or information which are relevant for decision-making. These applications differ depending on the need and size of an entity and may include, but are not limited to: - **Small and medium-sized business accounting applications** - The application includes the basic bookkeeping functions such as invoicing, business payments, payroll functions, and financial reporting. Examples include QuickBooks and Xero. - **Enterprise accounting application** - This application is designed for larger organizations that allow for more extensive accounting processes. It is often part of a larger suite of software that is used by the organization to manage its business activities such as procurement, supply chain operations, inventory management, and risk management. This suite is referred to as an enterprise resource planning (ERP) system. Examples include SAP Business One and Microsoft Dynamics. - **Cloud/online accounting application** - An accounting application system that is hosted online or through remote servers in the cloud (i.e. data centers over the internet). It offers users greater flexibility and cost- efficiency in managing financial information. Examples include Oracle ERP Cloud and SAP S/4 Hana. Entities may also use emerging technologies (e.g., blockchain, robotics or artificial intelligence) because such technologies may present specific opportunities to increase operational efficiencies or enhance financial reporting. VI. **IT PROCESSES** The IT processes are the entity\'s processes to manage access to the IT environment, manage program changes or changes to the IT environment and manage IT operations. These processes include general IT controls which will be discussed in the immediately succeeding section. VII. **INFORMATION TECHNOLOGY (IT) CONTROLS** The entity\'s use of IT applications or other aspects in the IT environment may give rise to risks arising from the use of IT (RAIT). **Risks arising from the use of IT (RAIT)** - refer to the susceptibility of information processing controls to ineffective design or operation, or risks to the integrity of information (i.e., the completeness, accuracy, and validity of transactions and other information) in the entity\'s information system, due to ineffective design or operation of controls in the entity\'s IT processes. To address RAITs, management designs and incorporates IT controls. Exhibit 2 presents the different types of IT controls and how they relate to the IT environment. +-----------------------------------+-----------------------------------+ | Entity-level IT Controls | The entity-level IT controls of | | | an organization are embedded in | | | its control environment. These | | | are designed to define the | | | strategic direction and establish | | | an organizational framework for | | | IT activities including | | | **(S²PARTA):** | | | | | | - **[S]**trategies | | | and plans | | | | | | - **[S]**egregation | | | of incompatible duties | | | | | | - **[P]**olicies | | | and procedures | | | | | | - Quality | | | **[A]**ssurance | | | | | | - **[R]**isk | | | assessment activities | | | | | | - **[T]**raining | | | | | | - Internal | | | **[A]**udit and | | | Monitoring | +===================================+===================================+ | General IT Controls | These are controls over the | | | entity\'s IT processes that | | | support the continuous and proper | | | operation of the IT environment, | | | including the continued effective | | | functioning of information | | | processing controls and the | | | integrity of information (i.e., | | | the completeness, accuracy, and | | | validity of information) in the | | | entity\'s information system. | | | These include **(COA):** | | | | | | - **[C]**ontrols | | | over IT Changes | | | | | | - IT | | | **[O]**perations | | | controls | | | | | | - **[A]**ccess | | | controls | +-----------------------------------+-----------------------------------+ | Application Controls | These controls form part of the | | | business process applications | | | that help the entity achieve its | | | financial reporting objectives as | | | to the completeness, accuracy, | | | existence/authorization, and | | | presentation of data. These | | | controls include **(IPO):** | | | | | | - **[I]**nput | | | Controls | | | | | | - **[P]**rocessing | | | Controls | | | | | | - **[O]**utput | | | Controls | +-----------------------------------+-----------------------------------+ **Entity-level IT Controls** These controls are also known as the IT organizational controls which set the overall tone on how information should be managed and processed within the entity. As presented previously, these controls are established through the strategic information and technology plans of the entity and its resulting policies and procedures. These policies and procedures consider the segregation of incompatible duties such as (1) the functions of the IT department and user departments and (2) the functions within the IT department. Listed below are the various responsibilities and functions within an IT department: 1. **Information System Management** - handled by a Chief Information Officer (CIO) who supervises the operation of the department 2. **System Analysis** - responsible for designing the information systems. It focuses on setting the goals of the information system and the means of achieving them after considering the goals of the organization and the computer processing needs of the entity. 3. **Application programming** - codes the system specifications determined by system analysts using programming languages (Pascal, C, FoxPro, etc.) 4. **Database Administration** - focus on planning and administering the database by designing it and controlling its use 5. **Data Entry** - prepare and verify input data for processing 6. **Computer Operation** - run and monitor central computer in accordance with standard instructions. Sometimes operators may need to access a computer console to correct indicated errors in processing; this is a risk exposure that an operating system should be designed to maintain a log of computer operator intervention. Also, computer operation should be separated from application programming to mitigate the possibility of unauthorized changes in computer programs. 7. **Program and File Library** - protects computer programs, master files, transaction tapes, and other records from loss, damage, unauthorized use, or alteration. 8. **Data Control** - review and test all input procedures, monitor computer processing, review exception reports, handles reprocessing of exceptions detected by the computer, and distribute computer output; also review computer log of operator intervention and library log of program usage. 9. **Telecommunications** - responsible for maintaining and enhancing computer networks and network connections 10. **Systems Programming** - responsible for troubleshooting the operating system or systems in use, upgrading it, and working with application system programs in case of incompatibility with the operating systems 11. **Quality Assurance** - ensures that new systems developed and old ones being replaced are controlled and ensures the new system meets user specification and documentation standards. - **Continuous monitoring** - executed through predetermined performance measures that denote operating effectiveness of an IT control. This include: - **Defect identification and management** - establishment of performance indicators and their comparison to actual results that allow the pinpointing of causes of system failures. Upon identification of the causes, correcting procedures are then initiated to improve the system. - **Security monitoring** - refers to the process of collecting and understanding indicators of potential security threats to the IT infrastructure and addressing them through appropriate actions. - **Separate evaluations** - in addition to the continuous monitoring, an entity also separately evaluates its IT environment through various means including internal and external audits, regulatory examinations, IT effectiveness evaluation and reviews, project implementation reviews, and attack and penetration studies, and engagement of third-party consultants. **General Information Technology Controls (GITCs)** a. **Access controls** - provide reasonable assurance that access to equipment, files, and programs is limited only to authorized personnel. These include: 1. **Authentication** - controls that ensure a user accessing the IT application or other aspect of the IT environment is using the user\'s own log-in credentials (i.e., the user is not using another user\'s credentials). 2. **Authorization** - controls that allow users to access the information necessary for their job responsibilities and nothing further, which facilitates appropriate segregation of duties. 3. **Provisioning** - controls to authorize new users and modifications to existing users\' access privileges. 4. **Deprovisioning** - controls to remove user access upon termination or transfer. 5. **Privileged access** - controls over administrative or powerful users\' access. 6. **User access reviews** - controls to recertify or evaluate user access for ongoing authorization over time. 7. **Security configuration** - controls each technology generally has key configuration settings that help restrict access to the environment. 8. **Physical access** - controls over physical access to the data center and hardware, as such access may be used to override other controls. - Programming the operating system to generate a computer log of failed access attempts and generates warnings for repeated access failures. - Programmers should not have access to input data or application programs that are currently used. - Computer operators should be restricted only to the application programs currently being used. - Computer operators should have limited access only to operations manual (instructions for processing programs) and not detailed program documentation. b. **IT Operations Controls** - provide reasonable assurance that database operations and data processing are functioning effectively as intended. These include: 1. **Job scheduling** - controls over access to schedule and initiate jobs or programs that may affect financial reporting. 2. **Job monitoring** - controls to monitor financial reporting jobs or programs for successful execution. 3. **Backup and recovery** - controls to ensure backups of financial reporting data occur as planned and that such data is available and able to be accessed for timely recovery in the event of an outage or attack. 4. **Intrusion detection** - controls to monitor for vulnerabilities and or intrusions in the IT environment c. **Controls over IT Changes** - These controls serve as an oversight function over the development methodology (e.g. system design and implementation and its phases), documentation requirements, change management, approvals, and other development or maintenance checkpoints. These controls consider the following guidelines: 1. **Change management process** - controls over the process to design, program, test, and migrate changes to a production (i.e., end-user) environment. 2. **Segregation of duties over change migration** - controls that segregate access to make and migrate changes to a production environment. 3. **Systems development or acquisition or implementation** - controls over initial IT application development or implementation (or in relation to other aspects of the IT environment). 4. **Data conversion** - controls over the conversion of data during development, implementation, or upgrades to the IT environment. a. **Controls over input** - designed to provide reasonable assurance that: - Transactions are properly authorized before being processed by the computer - Transactions are accurately converted into machine-readable form and recorded in the computer data files. - Transactions are not lost, added, duplicated, or improperly changed. - Incorrect transactions are rejected, corrected, and, if necessary, resubmitted on a timely basis - Common examples of controls over input are key verification, field check, validity check, self-checking digit, limit check, control totals (financial, hash, and record count) a. **Limit test** - test of reasonableness of a field of data using predetermined upper and lower limit b. **Validity test** - a comparison of data against a master file or table for accuracy c. **Self-checking digit** - accuracy check contains redundant information permitting d. **Completeness check** - processing will not continue unless all data required are supplied (also missing data check) e. **Control total** - the total of one field of information for all items in a batch - **Item (Record) count** - a count of the number of items or transactions being input in a given batch - **Financial total** - the total of the amount for all items in a batch - **Hash total** - a total of one field of information for all items in a batch that has no intrinsic meaning f. **Menu-driven input** - contains a set of menus or Q&As that guide the user\'s completion of all the required data. g. **Field check** - ensures that the proper character is supplied in a given field (i.e. Character only, numeric-only, or alphanumeric only) h. **Field size check** - ensures that the data supplied is within the number of digits or string of characters required for the field i. **Logic tests** - rejects data encoded that are illogical or inconsistent b. **Controls over processing** - designed to provide reasonable assurance that: - Transactions are processed accurately - Transactions are not lost, added, excluded, duplicated, or improperly changed - Processing errors are identified and corrected on a timely basis c. **Controls over output - designed to provide reasonable assurance that:** - Results of processing are complete, accurate - Output is distributed to authorized personnel only

Auditing in a CIS Environment Part 1 PDF

Document Details

Tags

Related

Summary

Full Transcript