Module 1 - Audit in CIS Environment Fundamentals PDF
Document Details
Rogelio Jr Panelo
Tags
Summary
These lecture notes provide an overview of computer information systems and data processing. They cover manual, mechanical, and electronic data processing, as well as hardware, software, and computer installations.
Full Transcript
lOMoARcPSD|5600552 Module 1 - Audit in CIS Environment Fundamentals Rogelio Jr Panelo, CPA, MBA, CTT, MRITax...
lOMoARcPSD|5600552 Module 1 - Audit in CIS Environment Fundamentals Rogelio Jr Panelo, CPA, MBA, CTT, MRITax Input devices – prepare and insert data and instructions into the AN OVERVIEW OF THE CIS ENVIRONMENT computer after translating them into computer language. Examples are the keyboards and bar code reader. Output devices – translate the processed data back into the DATA PROCESSING – refers to the operations needed to collect and transform language of written words out of the computer to the accountant or data into useful information. The equipment and procedures used through which other users. Examples are the monitor and printers. the result is achieved constitute a data processing system. Data processing involves the basic operations of classifying, sorting, calculating, summarizing, b. Computer software – the programs, routines and procedures used to recording, storing and communicating. direct the functions of a computer system. a. Manual data processing – the operations in the process are performed Systems software – operates the computer system and performs by hands, using pen or pencil. routine tasks for the users. It helps the operator use the machine b. Mechanical data processing – this method utilizes mechanical and generates interaction between the computer, its peripherals, equipment’s such as o昀케ce machines and bookkeeping machines are other programs and sets of data to be used and the operator utilized to increase speed and accuracy. himself. The system software also translates programming c. Electronic data processing (EDP) – the data are converted into machine languages. readable form and then processed through electronic impulses. The i. Operating system – a set of highly complex set of programs processing of data takes place in a computer at incredibly high speed and designed to serve as a means of communication between with minimum human intervention. the computer and hardware and human operator; schedule, load, initiate and supervise the execution of programs; COMPUTER SYSTEM – refers collectively to all the interconnected hardware initiate and control input and output operations; and including the processors, storage devices, input/output devices and manage and control compilers and utility programs. communications equipment. ii. Utility programs – a program or group of programs a. Computer hardware – the physical device that comprise a computer designed to perform commonly encountered data handling system. The principal hardware component is the central processing unit functions such as sorting 昀椀les and copying data from one (CPU) which performs the processing functions which include the storage of 昀椀le to another. information, arithmetic and logic operations and control. Additionally, the iii. Compilers and interpreters – compilers are programs that CPU controls the input and output devices. translate high level languages (source code) into machine Main storage unit – used to temporarily store programs and data language (object code), which can be placed into the main for processing. storage and executed. Interpreters exactly do the opposite Arithmetic and logic unit – performs the arithmetic tasks of what compilers do. (addition, subtraction, multiplication and division), comparisons and Applications software – programs that help the operator use the other types of data transformations. The data and instructions computer to do speci昀椀ed tasks or to solve particular processing needed for the operation are called from the computer’s main jobs. storage. After the operation, the results are returned to the main storage unit. c. Computer installations – are the facilities where the computer hardware Control unit – regulates the activities of the other devices by and personnel are located. Computer installations are generally organized retrieving machine language instructions from the main storage into one of the following categories: units and then interpreting instructions. In-house or captive computer – the organization owns or leases the equipment and hires the necessary trained personnel to lOMoARcPSD|5600552 program, operate and control the various applications processed multiple users in a network to access software applications and data 昀椀les. Basic with the equipment. type of networks includes: Service bureau computer– the computer is used by an a. Local area network (LAN) – an arrangement where two or more personal independent agency which rents computer time and provides computers are linked together through the use of special software and programming, key punching and other services. The user communication lines. A LAN allows the sharing of resources such as storage organization pays only for the computer time and other services it facilities and printers. uses. b. Wide area network (WAN) – created to connect two or more Time sharing – under this system, the organization acquires a geographically separated LANs. A WAN typically involves one or more long- keyboard device capable of transmitting and receiving data and by distance providers, such as a telephone company to provide the agreement, the right to use a central computer facility. This facility connections. will furnish service to several users at the same time. The user c. Metropolitan area network (MAN) – a type of network that multiple company does most of its own programming and treats the buildings are close enough to create a campus but the space between the computer as though the company were the one using it. When the buildings is not under the control of the company. company needs service, it accesses the computer facility by means of a communication line, submits its user number and password, A network’s topology pertains to how the various elements of the network are calls for its 昀椀les and then begins to process the necessary data. arranged. A network can be arranged in various forms as follows: Facilities management – falls somewhere between the captive a. Star topology – a network of computers with a large central computer computer and the service bureau computer categories. Under this (the host). The host computer has direct connections to smaller computers, system, the organization needing computer services may lease or typically a desktop or laptop PCs. All communications must go through the purchase the necessary hardware and install it on its own premises. host computer, except for local computing. Then by negotiation, an outside contractor with the necessary sta昀昀 b. Hierarchical or tree topology – a host computer is connected to several of programmers and operators agrees to manage the facility. In levels of subordinate smaller computers in a master-slave relationship. some instances, the contractor may own or lease the equipment. c. Ring topology – this con昀椀guration eliminates the central site. All nodes in this con昀椀guration are of equal status (peers). In this arrangement, the STAND-ALONE PERSONAL COMPUTERS responsibility for managing communications is distributed among the nodes. Common resources that are shared by all nodes can be centralized A personal computer (PC) can be used in various con昀椀gurations. These includes: and managed by a 昀椀le server that is also a node. a. A stand-alone workstation operated by a single user or a number of users d. Bus topology – the nodes are all connected to a common cable – the bus. at di昀昀erent times. Communications and 昀椀le transfers between workstations are controlled by b. A workstation which is a part of a local area network (LAN) of PCs. a server. It is generally less costly to install than a ring topology. c. A workstation connected to a server. e. Mesh or double star topology – similar to star topology but with greater redundancy. It o昀昀ers the greatest resiliency but most expensive to In a stand-alone PC environment, it may not be practicable or cost-e昀昀ective for implement. management to implement su昀케cient controls to reduce risks of undetected error to f. Client-server architecture – distributes the processing between the a minimum level. After obtaining the understanding of the accounting system and user’s (client’s) computer and the central 昀椀le server. Both types of control environment, the auditor may 昀椀nd it more cost e昀昀ective not to make further computers are part of the network but each is assigned functions that it review of general controls or application controls, but to concentrate audit e昀昀orts best performs. This approach reduces data communications tra昀케c, thus on substantive audit procedures. reducing queues and increasing response time. NETWORK ENVIRONMENT g. Cloud computing – is an internet based computing whereby shared resources, software and information are provided to computers and other devices on demand like the electricity grid. In general, the customers do A network environment is a communication system that enables computer users to not own the physical infrastructure, instead avoiding capital expenditure by share computer equipment, application software, data and voice and video transmissions. A 昀椀le server is a computer with an operating system that allows lOMoARcPSD|5600552 renting usage from a third party provider. They consume resources as a a. Centralized processing – a system where processing is done at a central service and pay only for resources that they use. location using terminals that are attached to a central computer. The computer itself may control all the peripherals or they may be attached via terminal server. b. Distributed data processing – a system with several computers that are connected for communication and data transmission purposes but where each computer can also process its own data. c. End user computing – a system in which the end user is responsible for the development and execution of the computer application that he or she uses. Figure 1 – Forms of Network Topology Some devices and peripherals are needed for a network to exist and properly function. Computer networks warrant or may warrant the use: a. Network interface cards (NICs) – are circuit boards used to transmit and ON-LINE COMPUTER SYSTEMS receive commands and messages between a PC and a LAN. b. Modems – a device that modulates and demodulates signals. They are On-line computer systems are computer systems that enable users to access data primarily used for converting digital signals into quasi-analog signals for and programs directly through terminal devices. Types of terminal devices used in transmission over analog communication channels and for reconverting the on-line systems include: quasi-analog signals into digital signals. a. General purpose terminals – basic keyboard and screen, intelligent c. Repeaters – o昀昀er the simplest form of interconnectivity. They merely terminal, PCs. generate or repeat data packets or electric signals between cable b. Special purpose terminals – point of sale devices and automated teller segments. machines (ATMs). d. Hubs – hubs concentrate connections. In other word, they take a group of On-line systems allow users to directly initiate various functions such as entering hosts and allow the network to see them as a single unit. transactions, making inquiries, requesting reports, updating master 昀椀les and e. Bridges – a bridge is a device that connects similar or dissimilar LANs conducting e-commerce activities. On-line computer systems can be classi昀椀ed as together to form an extended LAN. It can also connect LANs and WANs. follows: Bridges are protocol independent devices and are designed to store and a. On-line/real time processing – individual transactions are entered at forward frames destined for another LAN. terminal devices, validated, and used to update related computer 昀椀les f. Switches – workgroup switches add more intelligence to data transfer immediately. management. They can determine if data should remain on a LAN and b. On-line/batch processing – individual transactions are entered at a transfer data only to the connection that needs it. Another di昀昀erence terminal device, subjected to certain validation checks and added to a between a bridge and switch is that a switch does not convert data transaction 昀椀le that contains other transactions entered during the period. transmission formats. Later, during a subsequent processing cycle, the transaction 昀椀le may be g. Routers – routers have both LAN and WAN interfaces. Routers are the validated further and then used to update relevant master 昀椀le. backbone devices of large intranets and of the internet. They select the c. On-line/memo update and subsequent processing – combines on- best path and switch packets to the proper interface. line/real time and on-line/batch processing. Individual transactions h. Gateways – used to connect LANs to host computers. Gateways act as immediately update a memo 昀椀le containing information that has been translators between networks using incompatible transport protocols. A extracted from the most recent version of the master 昀椀le. Inquiries are gateway is used to interconnect networks that may have di昀昀erent made from this memo 昀椀le. These same transactions are added to a architectures. transaction 昀椀le for subsequent validation and updating of the master 昀椀le on a batch basis. Processing information in a network can also be done in various ways including: d. On-line/inquiry processing – restricts users at terminal devices to making inquiries of On-line downloading/uploading processing – on- lOMoARcPSD|5600552 line downloading refers to the transfer of data from a master 昀椀le to an b. To solve a particular set of problems. intelligent terminal device for further processing by a user. To satisfy a company’s information processing needs, the company may use DATABASE SYSTEMS proprietary software packages or make use of its own company employees and/or consultants to develop a system (in-house development). Fundamental approaches Database systems have two components, namely: in developing in-house information system are prototyping and pre-speci昀椀cations. a. Database – composed of data which are set up with de昀椀ned relationships and are organized in a manner that permits many users to use the data in SYSTEMS DEVELOPMENT LIFE CYCLE (SDLC) – a systematic approach to di昀昀erent application programs. solving business problems. The cycle involves a logical sequence of activities used b. Database management system (DBMS) – software that creates, to identify new systems needs and to develop new systems to support those needs. maintains and operates the database. It is a special software system that is Each phase in the cycle has unique activities and widely varies from one programmed to know which data elements each user is authorized to organization to another. access. The user’s program sends requests for data to the DBMS, which a. Feasibility phase – involves systems planning and system evaluation and validates and authorizes access to the database in accordance with the selection user’s level of authority. If the user requests data that he or she is not System planning – aims to link individual system projects or authorized to access, the request is denied. application to the strategic objectives of the 昀椀rm. System evaluation and selection – an optimization process that Database systems are characterized by: seeks to identify the best system. a. Data sharing – ability of a database to allow multiple users to access i. Perform a detailed feasibility study – should cover the information at the same time. technical, legal, operational and schedule feasibility of the b. Data independence – it refers to the immunity of user applications to system. make changes in the de昀椀nition and organization of data. ii. Perform a cost-bene昀椀t analysis – entail the use of capital budgeting techniques. Database processing is dependent on an on-line/real time system. b. Requirement speci昀椀cation – involves systems analysis and conceptual Generally, internal control in a database environment requires e昀昀ective controls systems design. over the database, the DBMS and the applications. User access to the database can Systems analysis – involves two-step process involving 昀椀rst a be restricted through the use of passwords. These restrictions apply to individuals, survey of the current system and then an analysis of the user’s terminal devices and programs. needs. a. Discretionary access controls – allow users to specify who can access Conceptual systems design – this stage’s purpose is to produce data they own and what action privileges they have with respect to that several alternative conceptual systems that satisfy the system data. requirements identi昀椀ed during systems analysis. b. Mandatory access controls – require a database administrator to assign security attributes to data that cannot be changed by database users. In c. Systems design – the goal of this phase is to produce a detailed e昀昀ect, the users are not permitted to see or update all data in the description of the proposed system that both satis昀椀es the system database. requirements identi昀椀ed during systems analysis and is in accordance with the conceptual design. In this phase, all components are meticulously STYSTEMS ACQUISITION, DEVELOPMENT AND IMPLEMENTATION speci昀椀ed. After completing this phase, the development team usually performs a system design walkthrough to ensure that the design is free SYSTEMS ANALYSIS AND DESIGN – a systematic approach to identifying from conceptual errors that could become programmed into the 昀椀nal problems, opportunities and objectives, analyzing the information 昀氀ow in system. organizations and designing computerized information systems to solve a problem. d. Systems development and programming – programs are written to New systems are developed or acquired because of the following reasons: create the software necessary to make the information system operational. a. To answer a business need. This phase includes the following activities: lOMoARcPSD|5600552 System speci昀椀cations review. a. The creation of an information system entails signi昀椀cant 昀椀nancial Program identi昀椀cation and description. transactions. Program coding. b. The quality of accounting information rests directly on the SDLC activities Testing the application software. that produce accounting information systems. Documentation. INTRODUCTION TO CIS AUDIT e. Systems conversion and implementation – database structures are created and populated with data, equipment is purchased and installed, A CIS environment exists when a computer of any type or size is involved in the employees trained, the system is documented and the new system is processing by the entity of 昀椀nancial information of signi昀椀cance to the audit; installed. Common approaches to systems conversion: whether the computer is operated by the entity or by a third party. Parallel conversion – operates the old and new system simultaneously. The overall objective and scope of an audit does not change in a CIS environment. Direct conversion – involves immediate conversion to the new However, a CIS environment may a昀昀ect: system throughout the organization. a. The procedures followed in obtaining a su昀케cient understanding of the Phased conversion – the information system is implemented one accounting and internal control systems. module at a time by either parallel or direct conversion. b. The consideration of inherent and control risk. Pilot conversion – the new system is implemented by parallel, c. The design and performance of tests of controls and substantive direct or phased conversion as a pilot system in only one of the procedures. several areas for which it is targeted. Prototype conversion – involves developing and putting into In this regard, the auditor should have su昀케cient knowledge of the CIS to plan, operation successively more re昀椀ned versions of the system until direct and review the work performed. If specialized skills are needed, the auditor su昀케cient information is obtained to produce a satisfactory design. would seek the assistance of a professional possessing such skills, who may be either on the auditor’s sta昀昀 or an outside professional. f. Post-implementation review and system maintenance – after implementing the system, a critical examination of the system must be In planning the portions of the audit which may be a昀昀ected by the client’s CIS made so as to check on the progress of the implementation and if certain environment, the auditor should obtain an understanding of the signi昀椀cance and correcting measures has to be made. Throughout the life of the system complexity of the CIS activities and the availability of data for use in the audit. also, a continuing monitoring, evaluation and modi昀椀cation of the system When the CIS environment is signi昀椀cant, the auditor should also obtain an has to be done to ensure that objectives are achieved or new needs or understanding of the CIS environment and whether it may in昀氀uence the problems are addressed. assessment of inherent and control risks. The participants in the systems development are: The auditor should consider the CIS environment in designing audit procedures to a. Systems professionals – are the system analysts, systems engineers and reduce the audit risk to an acceptably low level. The auditor can use either manual programmers. These individuals actually build the system. audit procedures or computer assisted audit techniques (CAATs) or a combination b. End users – are those for whom the system is built. of both to obtain su昀케cient evidential matter. c. Stakeholders – are individuals either within or outside the organization who have an interest in the system but are not end users. An audit in a CIS environment is generally divided into three phases: d. Accountants and auditors – are the individuals who address the controls, a. Audit planning – this phase consists of both short-term planning and long- accounting and auditing issues for systems development. Accountants are term planning and has risk analysis as one of its major part. involved in the SDLC in three ways as users, as members of the Short-term planning – takes into account audit issues that will be development team and as auditors. covered during the year. Long-term planning – relates to audit plans that will take into account risk-related issues regarding The SDLC process is of interest to accountants and auditors for two reasons: changes in the organization’s IT strategic direction that will a昀昀ect the organization’s IT environment. lOMoARcPSD|5600552 Risk analysis – helps identify risks and vulnerabilities so the auditor access to, an alteration of, data and programs by persons inside or outside can determine the controls needed to mitigate those risks. The the entity. auditor is often focused toward high-risk issues associated with con昀椀dentiality, availability or integrity of sensitive and critical DESIGN AND PROCEDURAL ASPECTS – the development of CIS will generally information and the underlying information systems and processes result in design and procedural characteristics that are di昀昀erent from those found that generate, store and manipulate such information. in manual systems. These di昀昀erent design and procedural aspects of CIS include: b. Test of controls or compliance testing – to determine whether a. Consistency of performance – CIS perform functions exactly as adequate internal controls are in place and functioning properly. programmed and are potentially more reliable than manual systems, c. Substantive testing – can be performed either with or without the use of provided that all transaction types and conditions that could occur are computers. Also, the auditor must consider that in a CIS environment, the anticipated and incorporated into the system. On the other hand, a information needed to perform substantive tests is contained in data 昀椀les computer program that is not correctly programmed and tested may that often must be extracted using computer assisted audit tools and consistently process transactions or other data erroneously. techniques (CAATs) software. b. Programmed control procedures – the nature of computer processing allows the design of internal control procedures in computer programs. CHARACTERISTICS AND CONSIDERATIONS IN A CIS ENVIRONMENT c. Single transaction update of multiple or data-based computer 昀椀les – a single input to the accounting system may automatically update all ORGANIZATIONAL STRUCTURE – characteristics of a CIS organizational structure records associated with the transaction. includes: d. Systems generated transactions – certain transactions may be initiated a. Concentration of function and knowledge – although most systems by the CIS itself without the need for an input document. employing CIS methods will include certain manual operations, generally, e. Vulnerability of data and program storage media – large volumes of the number of persons involved in the processing of 昀椀nancial information is data and the computer programs used to process such data may be stored signi昀椀cantly reduced. on portable or 昀椀xed storage media, such as magnetic disks and tapes. b. Concentration of programs and data – transaction and master 昀椀le data These media are vulnerable to theft, loss or intentional or accidental are often concentrated, usually, in machine-readable form, either, in one destruction. computer installation located centrally or in a number of installations distributed throughout the entity. INTERNAL CONTROL IN A CIS ENVIRONMENT – GENERAL CONTROLS NATURE OF PROCESSING – the use of computers may result in the design of systems that provides less visible evidence than those using manual procedures. In GENERAL CIS CONTROLS – relate to all EDP applications and are implemented to addition, these systems may be accessible by a larger number of persons. System establish a framework of overall control over the CIS activities and to provide a characteristics that may result from the nature of CIS processing include: reasonable level of assurance that the overall objectives of internal controls are a. Absence of input documents – data may be entered directly into the achieved. General controls may include: computer system without supporting document. In some on-line transaction a. Organization and management controls – designed to de昀椀ne strategic systems, written evidence of individual data entry authorization may be direction and establish an organizational framework over CIS activities, replaced by other procedures such as authorization controls contained in including: computer programs. Strategic information technology plan. b. Lack of visible audit trail – the transaction trail may be partly in CIS policies and procedures. machine-readable form and may exist only for a limited period of time. Segregation of incompatible functions. c. Lack of visible output – certain transactions or results of processing may Monitoring of CIS activities performed by third party consultants. not be printed or only a summary of data may be printed. b. Development and maintenance controls – designed to provide d. Ease of access to data and computer programs – data and computer reasonable assurance that systems are developed or acquired, programs may be accessed and altered at the computer or through the use implemented and maintained in an authorized and e昀케cient manner. They of computer equipment at remote locations. Therefore, in the absence of also typically designed to establish control over: appropriate controls, there is an increased potential for unauthorized Project initiation, requirements de昀椀nition, systems design, testing, data conversion, go-live decision, migration to production lOMoARcPSD|5600552 environment, documentation of new or revised systems and user training. Acquisition and implementation of o昀昀-the-shelf packages. Request for changes to the existing systems. Acquisition, implementation and maintenance of system software. c. Delivery and support controls – designed to control the delivery of CIS services including: Establishment of service level agreements against which CIS services are measured. Performance and capacity management controls. Event and problem management controls. Disaster recovery/contingency planning, training and 昀椀le backup. Computer operations controls. Systems security. Physical and environment controls. Figure 5 – Sample Organizational Structure Within a CIS d. Monitoring controls – designed to ensure that CIS controls are working Department e昀昀ectively as planned. These include: Monitoring of key CIS performance indicators. CIS Director – exercise control over the CIS operation. Internal/external CIS audits. Systems analyst – designs new systems, evaluates and improves existing systems and prepares speci昀椀cations for programmers. Alternatively, general controls can be categorized into the following domains as per Programmers – guided by the speci昀椀cations of the systems AICPA audit guide: analyst, the programmers write a program, tests and debugs such a. Organizational and operation controls – segregation of duties provides programs and prepares the computer operating instructions. the control mechanism for maintaining an independent processing i. Systems programmer – in charge of programs that make environment, thus meeting control objectives. the hardware works such as operating systems, Segregate functions between the EDP department and user telecommunications monitor and database management departments. system. Do not allow EDP department to initiate or authorize transactions. ii. Applications programmer – in charge of programs for Segregate functions within the EDP department. speci昀椀c use. Computer operator – using the program and detailed operating Auditor’s test of control - should include inquiry, observation, discussion instructions prepared by the programmer, the computer operator and review of an appropriate organization chart, responsibility for initiating operates the computer to process transactions. and authorizing transactions, discrepancies should be reported and the Data entry operator – prepares and veri昀椀es input data for appropriate controls recommended. processing. Data Librarian – maintains custody of systems documentation, programs and 昀椀les. Control group – reviews all input procedures, monitors computer processing, follows up data processing errors, reviews the reasonableness of output and distributes output to authorized personnel. b. Systems development and documentation controls – within EDP, new systems are developed that either replace an old system or enhance lOMoARcPSD|5600552 present systems. This environment requires unique controls to ensure that iii. Diagnostic routines – hardware or software supplied by the the integrity of the overall system is maintained. manufacturer to check the internal operations and devices User department must participate in systems design. within the computer system. These routines are often Each system must have written speci昀椀cations which are reviewed activated when the system is booted up. and approved by management and by user departments. iv. Boundary protection – most CPUs have multiple jobs Both users and EDP personnel must test new systems. running simultaneously. To ensure that these simultaneous Management, users and EDP personnel must approve new systems jobs cannot destroy or change the allocated memory of before they are place into operation. another job, the system contains boundary protection All master 昀椀le and transaction 昀椀le conversion should be controlled controls. to prevent unauthorized changes and to verify the results on a v. Periodic maintenance – the system should be examined 100% basis. periodically by a quali昀椀ed service technician to help After a new system is operating, there should be proper approval prevent unexpected hardware failures. of all program changes. Proper documentation standards should exist to assure continuity Auditor’s test of control – should test whether the controls are of the system. functioning as intended. In addition, audit software can be used to analyze the data collected by the diagnostic routines and detect signi昀椀cant trends. Auditor’s test of control – should determine that the system development procedures that exist are properly functioning and are d. Access controls – the computer system should have adequate security adequately documented and that all documentation pertaining to controls to protect equipment, 昀椀les and programs. procedures, programs or methodologies, should be up to date and written Access to program documentation should be limited to those in clear and concise language. persons who require it in the performance of their duties. Access to data 昀椀les and programs should be limited to those c. Hardware and systems software controls – the reliability of EDP individuals authorized to process data. hardware has increased dramatically over the years not only due to the Access to computer hardware should be limited to authorized advancements in technology but also due to the controls built into the individuals such as computer operators and their supervisors. mechanism to detect and prevent equipment failures. Access to the EDP environment is a昀昀ected both physically and Auditor should be aware of the control features inherent in electronically. computer hardware, operating system and other supporting i. Physical access controls – limited physical access (i.e. software and ensure that they are utilized to the maximum possible guard, automated key cards, manual key locks as well as extent. new access through 昀椀ngerprints or palm prints) and use of Systems software should be subjected to the control procedures as ID badge and visitor entry logs. those applied to installation of and changes to application ii. Electronic access controls – access control software/user programs. identi昀椀cation (i.e. identi昀椀cation code and passwords), call Examples of hardware and software controls include: back and encryption boards. i. Parity check – a special bit is added to each character stored in memory that can detect if the hardware loses a Auditor’s test of control – include attempting to violate the system, bit during the internal movement of a character. either physically or electronically, or reviewing any unauthorized access Echo check – primarily used in telecommunications transmissions. that has been recorded. The tests should also ensure that all security During the sending and receiving of characters, the receiving violations are followed up on to ensure they are errors. hardware repeats back to the sending hardware what it received e. Data and procedural controls – a written manual of systems and and the sending hardware procedures should be prepared for all computer operations and should ii. automatically resends any characters that it detects were provide for management’s general or speci昀椀c authorization to process received incorrectly. transactions. An independent party should review and evaluate proposed lOMoARcPSD|5600552 systems at critical stages of development and review and test computer Transactions are properly authorized before being processed by the processing activities. computer. A control group should receive all data to be processed, ensure that Transactions are accurately converted into machine readable form all data are recorded, follow up errors during processing and and recorded in the computer data 昀椀les. determine that transactions are corrected and resubmitted by the Transactions are not lost, added, duplicated or improperly changed. proper user personnel and verify the proper distribution of output. Incorrect transactions are rejected, corrected and if necessary, To prevent unnecessary stoppages or errors in processing, the resubmitted on a timely basis. following speci昀椀c controls should be implemented: i. Operations run manual – speci昀椀es in details, the “the how Input controls attempt to ensure the validity, accuracy and completeness of to’s” for each application to enable the computer operator data entered into a CIS. Input controls may be subdivided into: to respond to any errors that may occur. Data observation and recording, includes: ii. Backup and recovery – to ensure preservation of historical i. The use of pre-numbered and pre-printed documents. records and the ability to recover from an unexpected ii. Keeping blank forms under lock and key. error, 昀椀les created within EDP are backed up in a iii. Online computer systems o昀昀er menu screens, preformatted systematic manner (i.e. “snapshot” in a database system, screens, use of scanners that read bar codes and use of grand-father-son method, o昀昀-site storage of critical 昀椀les) feedback mechanisms to approve a transaction. iii. Contingency processing – detailed contingency processing iv. Self-checking digit – mathematically calculated digit which plans should be developed to prepare for natural disasters, is usually added to a document number to detect common man-made disasters or general hardware failures that trans positional errors in data submitted for processing. disable the data center (i.e. very hot sites, hot sites and Data transcription (batching and converting), includes: cold sites) i. Carefully structured source documents and input screens. iv. File protection ring – used to ensure that an operator does ii. Control totals – computed based on the data submitted for not use a magnetic tape as a tape to write on when it processing. They are further categorized into actually has critical information on it. 昀椀nancial/amount control/ batch/proof total, hash total and v. Internal and external labels – allows the computer operator record count. to determine whether the correct 昀椀le has been selected for iii. Key veri昀椀cation requiring data to be entered twice. processing. iv. Visual veri昀椀cation Edit tests of transaction data, includes: Auditor’s test of control – normally include identi昀椀cation, observation i. Validity check – a check which allows only valid and inquiry. While some of the data and procedural controls are easy to transactions or data to be entered into the system (i.e. M – implement, other controls such as contingency processing are more di昀케cult male; F – female). and costly to implement. The auditor should determine that these controls ii. Reasonableness and limit check – these tests determine are either present or that management has accepted the related risks and whether amounts entered are too high, too low or that all exceptions are scrutinized. unreasonable (i.e. hours work should not exceed 40 hours a week and increase in salary is reasonable compared to INTERNAL CONTROL IN A CIS ENVIRONMENT – APPLICATION CONTROLS salary base). Field check – a check that makes certain that only numbers, alphabetical CIS APPLICATION CONTROLS – relate to a speci昀椀c application instead of multiple characters, special characters and proper negative and positive signs are applications and are implemented to establish speci昀椀c control procedures over the accepted into a speci昀椀c data application systems in order to provide reasonable assurance that all transactions iii. 昀椀eld where they are required (i.e. numbers do not appear in are authorized, recorded and are processed completely, accurately and on a timely 昀椀elds reserved for words). basis. CIS application controls include: iv. Sequence check – a check that requires successive input a. Controls over input – designed to provide assurance that: data are in some prescribed order to avoid missing out an input. lOMoARcPSD|5600552 v. Field size check – requires an error message to result if an focuses on examining source documents or input and checking the 昀椀nal exact number of characters are to be inputted and is not output based on those documents. This method can only be used if all of met. the following conditions are met: vi. Logic check – ensures that illogical combinations of inputs The source documents must be available in a form readable by a are not accepted into the computer. human. vii. Range check – particular 昀椀elds fall within speci昀椀ed ranges. The documents must be maintained in a manner that makes it Transmission of transaction data, includes: possible to locate them for auditing purposes. i. Echo check – transmitting data back to the originating The output must be listed in su昀케cient detail to enable the auditor terminal for comparison with the transmitted data. to trace individual transactions from the source documents to the ii. Redundancy data check – transmitting additional data to output and vice versa. aid in the veri昀椀cation process. b. Auditing through the computer – the auditor enters the client’s system iii. Completeness check – verifying that all required data have and examines directly the computer and its system and application been entered and transmitted. software. The focus of this approach is on the e昀昀ectiveness of computer controls. b. Controls over processing and computer data 昀椀les – designed to c. Auditing with the computer – the computer is used as an audit tool. provide a reasonable assurance that: Transactions, including system generated transactions, are COMPUTER ASSISTED AUDIT TOOLS/TECHNIQUES (CAATs) are computer properly processed by the computer. programs and data the auditor uses as part of the audit procedures to process data Transactions are not lost, added, duplicated or improperly changed. of audit signi昀椀cance contained in an entity’s information systems. The data may be Processing errors are identi昀椀ed and corrected on a timely basis. transaction data on which the auditor wishes to perform tests of controls or substantive procedures or they may be other types of data. Processing controls help assure that data are processed accurately and completely and that no unauthorized transactions are included, that proper CAATs may be used in performing various auditing procedures, including the 昀椀les and programs are included and that all transactions can be easily following: traced. Processing controls include: a. Tests of details of transactions and balances. Manual cross checks – include checking the work of another b. Analytical procedures. employee, reconciliations and acknowledgments. c. Tests of general controls. Processing logic checks – many of the programmed edit checks d. Sampling programs to extract data for audit testing. used in the input stage may also be employed during processing. e. Tests of application controls. Run-to-run totals – batched data should be controlled during f. Reperforming calculations performed by the entity’s accounting systems. processing runs so that no records are omitted or incorrectly inserted into a transaction 昀椀led. CAATs FOR TEST OF CONTROLS File and program changes – to ensure that transactions are posted to the proper account, master 昀椀les should be checked for PROGRAM ANALYSIS – techniques that allow the auditor to gain an correctness and programs should be validated. understanding of the client’s program. Audit trail linkages – a clear audit trail is needed to enable individual a. Code review – involves actual analysis of the logic of the program’s transactions to be traced, to provide support in general ledger balances, to prepare processing routines. 昀椀nancial reports and to correct transaction errors or lost data. AUDIT APPROACHES AND CAATs c. Controls over output – designed to provide reasonable assurance that: A CIS audit may be done in two major approaches and some add a third approach Results of processing are accurate. as follows: Access to output is restricted to authorized personnel. a. Auditing around the computer – the auditor ignores or bypasses the Output is provided to appropriate authorized personnel on a timely computer processing function of an entity’s EDP system. This approach basis. lOMoARcPSD|5600552 e. Snapshot – this technique takes a picture of the status of program The following controls are frequently used to maintain the integrity of execution, intermediate results or transaction data at speci昀椀ed processing processing: points in the program. Control total – are compared with those computed prior to processing to ensure completeness of information. PROGRAM TESTING – involves the use of auditor-controlled actual or simulated Limiting the quantity of output and total processing time data. a. Historical audit techniques – test the audit computer controls at a point REVIEW OF CIS CONTROLS – general CIS controls that relate to some or all in time. applications are typically interdependent controls in that their operation is often Test data – a set of dummy transactions speci昀椀cally designed to essential to the e昀昀ectiveness of CIS application controls. Also, the general CIS test the control activities that management claims to have controls may have a pervasive e昀昀ect on the processing of transactions in incorporated into the processing programs. Test data shifts control application systems. If these controls are not e昀昀ective, there may be a risk that over processing to the auditor by using the client’s software to misstatements might occur and go undetected in the application system. Thus, process auditor prepared test data that includes both valid and weakness in general CIS controls may preclude testing certain CIS application invalid conditions. If embedded controls are functioning properly, controls. Accordingly, it may be more e昀케cient to review the design of the general the client’s software should detect all the exceptions planted in the controls 昀椀rst before reviewing the applications controls. CIS application controls auditor’s test data. This technique would be ine昀昀ective if the client which the auditor may wish to test include: does not use the software tested. a. Manual controls exercised by the user. b. Controls over system output. c. Programmed controls procedures. ELECTRONIC DATA INTERCHANGE Electronic data interchange (EDI) is the electronic exchange of transactions from one entity’s computer to another entity’s computer through an electronic communications network. In electronic fund transfers, for example, electronic transactions replace checks as a means of payment. EDI controls include: a. Authentication – controls must exist over the origin, proper submission and proper delivery of EDI communications to ensure that the EDI messages are accurately sent and received to and from authorized customers and suppliers. b. Encryption – involves conversion of plain text data to cipher text data to make EDI messages unreadable to unauthorized persons. c. Value added network (VAN) controls – a VAN is a computer service organization that provides network, storage and forwarding (mailbox) Figure 2 – Test Data services for EDI messages. b. Code comparison – programs that allow the auditor to compare Base case system evaluation (BCSE) – develops test data that computerized 昀椀les. purports to test every possible condition that an auditor expects a c. Flowcharting software – used to produce a 昀氀owchart of a program’s logic client’s software will confront. BCSE provides an auditor with much and may be used both in mainframe and microcomputers. more assurance than test data alone but it is expensive to develop d. Program tracing and mapping – program tracing is a technique in which and therefore cost-e昀昀ective only in large computer systems. instruction executed is listed along with control information a昀昀ecting that Integrated test facility - a variation of test data whereby instruction. Program mapping identi昀椀es sections of code which may be a simulated data and actual data are run simultaneously with the potential source of abuse. client’s program and computer results are compared with auditor’s lOMoARcPSD|5600552 predetermined results. The technique provides assurance that the Control reprocessing – a variation of parallel simulation which software tested is actually used to prepare 昀椀nancial reports. involves processing of actual client data through a copy of the client’s application program. b. Continuous audit techniques – test the audit computer controls throughout the period. Audit modules – programmed audit routines incorporated into application programs that are designed to perform an audit function such as a calculation or logging activity. System control audit review 昀椀les (SCARFs) – logs that collect transaction information for subsequent review and analysis by the auditor. Audit hooks – “exits” in an entity’s computer program that allows an auditor to insert commands for audit processing. Transaction tagging – a transaction record is “tagged” and then traced through critical points in the information system. Figure 3 – Integrated Test Facility Extended records – this technique attaches additional audit data which would not otherwise be saved to regular historic records and Parallel simulation – it involves processing of client’s live (actual) thereby helps to provide a more complete audit trail. data utilizing an auditor’s generalized audit software. If an entity’s controls have been operating e昀昀ectively, the client’s software REVIEW OF OPERATING SYSTEM AND OTHER SYSTEMS SOFTWARE should generate the same exceptions as the same as the auditor’s a. Job accounting data/operating system logs – these logs that track software. This technique should be performed on a surprise basis if particular functions, include reports of the resources used by the computer possible. system. The auditor may be able to use them to review the work processed, to determine whether unauthorized applications were processed and to determine that authorized applications were processed properly. b. Library management software – this logs changes in programs, program modules, job control language and other processing activities. c. Access control and security software – this restricts access to computers to authorized personnel through techniques such as only allowing certain users with “read-only” access or through use of encryption. OTHER CAATs Other techniques which an auditor can use in the audit under a CIS environment include: a. Audit software – computer programs used to process data of audit signi昀椀cance from the client’s accounting system. Package programs (also known as generalized audit software) – programs that can be used in numerous clients. They can be designed to perform di昀昀erent audit tasks such as: Figure 4 – Parallel Simulation Purpose-written programs (also known as special-purpose or custom-designed programs) – computer programs designed for speci昀椀c audit tasks. lOMoARcPSD|5600552 Utility programs – part of the systems software that performs Procedure to control the use of test data may include: routine CIS tasks. They are generally not designed for audit a. Controlling the sequence of submission of test data where it spans several purposes. processing cycles. b. Electronic spreadsheets – contain a variety of pre-de昀椀ned mathematical b. Performing test runs. operations and functions that can be applied to data entered into the cells c. Predicting the results of test data. of a spreadsheet. d. Con昀椀rming that the current version of the program was used. c. Automated work paper software – designed to generate a trial balance, e. Obtaining reasonable assurance that the programs used to process the test lead schedules and other reports useful for the audit. The schedules and data were used by the entity throughout the applicable audit period. reports can be created once the auditor has either manually entered or electronically imported through using the client’s account balance USING CAATs IN SMALL BUSINESS COMPUTER ENVIRONMENTS information into the system. d. Text retrieval software – allow the user to view any text that is available The general principles outlined are applicable in small business computer in an electronic format. The software program allows the user to browse environments. However, the following points should be given special consideration through text 昀椀les much as a user would browse through books. in these environments: e. Database management systems – manage the creation, maintenance a. The level of general CIS controls may be such that the auditor will place and processing of information. The data are organized in the form of less reliance on the system of internal control resulting in: prede昀椀ned records and the database software is used to select, update, Greater emphasis on tests of details of transactions and balances sort, display or print the records. and analytical review procedures, which may increase the f. Public databases – may be used to obtain accounting information related e昀昀ectiveness of certain CAATs, particularly audit software. to particular companies and industries. The application of audit procedures to ensure the proper g. Word processing software functioning of the CAATs and validity of the entity’s data. b. In cases where smaller volumes of data are processed, manual methods may be more cost-e昀昀ective. USING AND CONTROLLING CAATs c. Adequate technical assistance may not be available to the auditor from the entity, thus, making the use of CAATs impracticable. Several factors are to be considered if CAATs should be used in the audit including: d. Certain audit package programs may not operate on small computers, thus, a. Degree of technical competence in CIS. restricting the auditor’s choice of CAATs. However, the entity’s data 昀椀les b. Availability of CAATs and appropriate computer facilities. may be copied and processed on another suitable computer. c. Impracticability of manual tests. d. E昀昀ectiveness and e昀케ciency of CAATs. e. Timing of test Procedures to control the use of audit software may include: a. Participating in the design and testing of computer programs. b. Checking the coding of the program. c. Requesting the client’s CIS personnel to review the operating system instructions. d. Running the audit software on small test 昀椀les before running them on main data 昀椀les. e. Ensuring that the correct 昀椀les were used. f. Obtaining evidence that the audit software functioned as planned. g. Establishing appropriate security measures to safeguard against manipulation of the entity’s data 昀椀les.