AUDITING IN

COMPUTERISED
INFORMATION
SYSTEM (CIS)
ENVIRONMENT

Upon completion of this chapter, students should

be able to:
6.1 Understand the basic approaching to
computerized information
system (CIS)
6.1.1 Describe the changing information of
technology and its
implication for
auditing.
6.1.2 Determine the level of complexity in
computerized
information system
environments.
6.1.3 Identify the general and application control
on CIS
6.1.4 Prepare the plan an audit strategic in CIS
approach
Page 2

CLO 1
Justify properly the
techniques employed in the
various stages of the audit
process and evaluate
findings
Page 3

IMPACT OF AN IT ENVIRONMENT ON AN AUDIT

When an auditor is auditing in an information
technology (IT)
environment, the auditor should consider how the
IT environment
affects the audit.
The overall objective and scope of an audit does
not change in an
IT environment.
However, the use of IT changes the processing,
storage and
communication of financial information, and may
effect the
Page 4
accounting and internal control systems employed

The auditor should, therefore, consider the following

impact on the audit:
1)The procedures followed by the auditor in obtaining
a sufficient understanding of the accounting and
internal control systems.
2)The consideration of inherent risk and control risk in
arriving at the overall risk assessment.
3)The designing and performance of tests of controls
and substantive procedures appropriate to meet the
audit objectives.
Page 5

SKILLS AND COMPETENCE

The auditor should have sufficient knowledge of IT to
plan, direct, supervise and review the work
performed. The auditor should also consider whether
specialized skills in IT are needed in an audit to:
1)Obtain a sufficient understanding of the accounting
and internal control systems affected by the IT
environment.
2)Determine the affect of the IT environment on the
assessment of overall risk and of risk at the account
balance and class of transactions level.
3)Design and perform appropriate tests of controlsPage 6
and substantive procedures in order to obtain

TYPES OF CONTROLS IN AN IT ENVIRONMENT

There are TWO broad categories of information

systems control procedures:
1)General Controls relate to the overall
information processing and environment and they
have pervasive effect on the entitys information
systems and operations. General controls are
sometimes referred to as supervisory, management, or
information technology controls.
2)Application Controls apply to the processing of
specific or individual applications (for example,
revenues or purchasing). Application controls help
ensure that transactions occurred are authorised,Pageand
7

The overall objective of

general and
application controls is
to ensure that the IT
systems maintain
the integrity of
information and
security of data.
Page 8

GENERAL CONTROLS
The objective of general control is to provide a
control environment, which means an environment
that ensures the accuracy and reliability of
accounting data and records.
General controls include controls over the
following:

Organization
Control over systems development and maintenance
Operational control
Hardware and software controls

Page 9

ORGANIZATION
This mean first, the separation of IT department
from the accounting
department and other user departments.
This is also means the IT manager is responsible
only on the top
management of the company who has no
authority over computer
processing.
Second, there must be proper segregation of
duties within the IT
department itself.
Page 10

ORGANIZATION
The duties of the different personnel within the IT
department, are as
follows:
POSITION

FUNCTIONS

IT MANAGER

Manages the IT department. Everyone in the

IT departments reports to him.

SYSTEM
ANALYST

Monitor existing system; design new system;

provides systems and test specifications and
data for programmers

PROGRAMMER

Develops and documents test programs and

prepare flowcharts

Page 11

ORGANIZATION
POSITION
COMPUTER
OPERATOR

FUNCTIONS
Operates the computer hardware using
computer programs.

DATA CONTROL Serves as the point of communication with the

GROUP
user departments; monitors input; processing
and output and reviews all errors.
LIBRARIAN

Custody and physical control over computer

programs, data files and all documentations.
The librarian also needs to ensure :
1)The correct files are provided for specific
application.
2)Files are properly maintained
3)Backup and recovery procedures exist.
Page 12

CONTROL OVER THE SYSTEMS DEVELOPMENT AND

MAINTENANCE

The second aspect of general control relates to

the control over the planning, reviewing, testing
and approval of any new program and any
system.

Page 13

OPERATIONS CONTROL
This means control over access to computer
operations and systems. This includes control
over detection of errors and also control to
ensure that no unauthorized data is put into the
system. Operations control also include controls
to ensure that only proper programs are used.

Page 14

HARDWARE AND SOFTWARE CONTROL

In general terms hardware control means the

controls that are built into the computer by the
manufacturer. Such controls are aimed at
detecting errors caused by computer
malfunction.
The aim of software control is to provide for the
detection of errors in the program and to protect
the systems and the files from unauthorized
use. Also the control is aimed at the systematic
backup and recovery of data to prevent
manipulation and accidential loss.
Page 15

Examples of general controls.

1)Administrative controls: Controls over data centre and network
operations and access security; i.e. procedure manuals, job
scheduling, training and supervision, prevention of unauthorized
amendments to data files, backup and physical protection of
files and access controls such as passwords
2)System development controls System software acquisition,
development and maintenance; controls over application
development; use of test data to identify program code errors,
good system over program writing, segregation of duties so that
operators are not involved in program development, controls
over program changes, controls over installation and
maintenance of system software.
Page 16

APPLICATION CONTROLS

The objective of application controls are to

ensure completeness and accuracy of accounting
records validity of entries made resulting from both
manual and programmed processing.
Application
controls
consists of.

1) Input controls
2) Processing
controls
3) Output
controls
Page 17

INPUT CONTROLS
The control at the input level is important and
must be checked before the transactions are
processed.
Input control means first that the transactions
sent to the IT department for processing are :
a)Authorized
b)Accurate
c)Complete
d)Timely and
e)Presented only once
Second, any errors detected at the input level
must be corrected and resubmitted for processing.
Page 18

This aspect of application control should ensure

that the transactions are in order before they can
be accepted for processing.

Page 19

PROCESSING CONTROLS
The system should provide for accurate and timely
processing of the input data.
Computers are now programmed to perform the
checking which includes the completeness tests,
logic tests and control totals.
As such the control at this level should basically
incorporate the proper maintenance of the
computers. Any defects or errors found must be
duly corrected.

Page 20

OUTPUT CONTROLS
In addition to the input and processing controls, it
is necessary to have control at the output level to
ensure that the output data are valid.
Outputs include reports, cheques, documents and
other printed or displayed (on terminal screen)
information.
A number of controls should be present to minimise
the unauthorised use of output.
A report distribution log should contain a schedule
of when reports are prepared, the names of
individuals who are to receive the report, and the
date of distribution.
Page 21

One way to ensure validity is by the reconciliation

of the output total with the control total at the
input phase.
Another way is through review by a person who
knows what kind of output is expected from the
input.

Page 22

Examples of application controls:

Existence check e.g. that a supplier exists
Character check e.g. that there are no
alphabetical characters in a
sales invoice number field
Range check e.g. no employees weekly wage is
more than $2,000

Page 23

Thank You