CHAPTER 4: AUDITING IN CIS ENVIRONMENT (PSP_DAT5BJune2020)

CHAPTER 4 : AUDITING IN COMPUTERISED INFORMATION SYSTEM ENVIRONMENT

Group Members:

1.Muhammad Zaifan Hakim Bin Ramli (10DAT18F1084)

2.Nurfatin Nabila Bt Mawardi (10DAF18F1010)

3.Nur Fadhlin Bt Muhammad Fuzi (10DAT18F1022)

4.Nurdini Husna Bt Jamil Akhir (10DAT18F1024)

5.Nurul Hazniza Bt Kahar (10DAT18F1042)

WHAT IS CIS?

What is CIS?

- System that composed people & computers that processes or interprets infomation.

Objective of audit in CIS.

- True and fairness of the financial statements

Scope Of Audit under CIS Enviroment.

- Legislations, regulations & the approved auditing standards

Two categories in internal control

1) Application Control

 -To ensure the completeness & accuracy of input

Types of control

- Data capture controls

- Data validatio controls

- Processing control 

- Output control 

- Error control

2) General control

- develop, maintained & operated & how effective the operations of the programmed procedures

Types of control 

- Data centre & Network Operations 

- System software acquisition, charge & maintance

- Access security

- application systems acquisition development & maintance

Evaluation of Auditor on CIS enviroment

1) Audit round the machine 

2) Audit through the machine 

3) Computer assisted audit techniques (CAAT)

5 types of CAAT

- Generalised audit software 

- Custom audit software:Specific task

- Test data : specific a simulation transaction

- Integrated test facility : Dummy records is created

- Parallel simulation 

5 consideration in use of CAAT

- It knowledge, expertise & experience of the audit team

- The availability of CAAT & suitable computer facilities & data

- The impeactibility of manual test

- Effective & efficiency

- Timing

IT CONTROLS -  GENERAL VS APPLICATION CONTROLS

IT controls - General vs Application Controls

Categories of it control :

•   general controls 

•  Application controls

GENERAL CONTROLS

•  Make sure an organizations control environment is stable and well managed.

•  Examples include security, IT infrastructure, and software acquisition, development, and maintenance controls.

APPLICATION CONTROLS

•  Prevent, detect, and correct transaction errors and fraud in application programs. They are concerned with the accuracy, completeness, validity, and authorization of the data captured, stored, transmitted to other systems, and reported.

IT infrastructure for someone to be able to :

•  Data security

•  Program change mgt

•  Disaster recovery

•  Environmental protection

•  Telecommunications

•  Database administration

•  System development methodology

•  Operations

•  Access controls

•  Operating system software

•  Physical security

IT general controls vs IT application controls :

•  Reliance to AC (application controls) depends directly on the design and operating effectiveness of GC ( general controls)

•  The design of general controls depends direct on the application controls requirement and the design of ERM

•  There is a direct correlation b/w complexity of transactional and support applications and the availability use and reliance on inherent and configureable application controls

•  Degree of application complexity will drive scoping, implementation, level of effort, and knowledge required to execute an applicaton controls review, as well as the degree to which internal auditors can assist in a consulting capacity

  SEGREGATION OF DUTIES :

•  Account receiveable :

•  A/R CLARK- post journal

•  A/R MANAGER- request adjusting journal

•  FINANCIAL CONTROLER- approve adjusting journal

HOW TO AUDIT CIS - VIDEO 1

AUDITING IN A COMPUTERIZED ENVIRONMENT

•  In a computerized environment it is expected that the auditor should satisfy himself that the controls are adequate enough to produce accurate and complete financial statements.

•  In recent years, there has been development in the use of computers as a means of keeping the accounting records and producing financial information.

•  This trend has brought about significant changes in the way the organisations process, store data, and disseminate information.

•  In planning the portions of audit which may be affected by the clients environment the auditor should obtain and understanding of computerised information system activities and the availability of data for use in the audit.

COMPUTERISED ENVIRONMENT INCLUDES THE FOLLOWING :

•  Hardware (CPU , monitor, printers, zip drive, scanners)

•  Software (operating systems, database, application software)

•  The transmission media (wires, optical fiber cables , and microwave links)

•  Network device (modems, gateways)

CHARACTERISTICS OF COMPUTER INFORMATIONS SYSTEMS

•  Speed

•  Accuracy

•  Diligence.

•  Versatility

•  Reliability.

•  Automation.

•  Memory

A computer has built-in memory called primary memory where it stores data. Secondary storage are removable devices such as CDs, pen drives, etc., which are also used to store data.

CONSISTENCY OF PERFORMANCE

•  CIS performs function exactly as programmed.

EASE OF ACCESS TO DATA AND COMPUTERED PROGRAMS

•  In CIS environment, data and computer programs may be accessed and altered by unauthorized persons leaving no visible evidence.

CONCERTRATION OF DUTIES

•  Proper segregation of duties is an assential characteristic of a sound internal control system.

SYSTEMS GENERATED TRANSACTIONS

•  Certain transactions maybe initiated by the CIS itself without the need for an input document.

VULNERABILITY OF DATA AND PROGRAM STORAGE MEDIA

•  In a manual system, the records are written in ink on substantial paper.

INTERNAL CONTROL IN A CIS ENVIRONMENT

•  Many of the control procedures used in manual processing also apply in a CIS Environment.

•  Control procedures : 

-  Authorization of transactions

-  Proper segregation of duties

-  Independent checking

•  Organizatinal control 

-  Include segregation between the user and CIS department, and segregation of duties within the CIS department.

a.  Segregation between CIS and user departments :- CIS department must be independent of all departments within the entity that provide input data or that use output generated by the CIS department.

b.  Segregation of duties within the CIS department – functions whithin the CIS department :- should be properly segregated for good organizational controls.

•  Systems development and documentation controls

-  Software development as well as changes there of must be approved by the appropriate level of management and the user department

•  Access controls

-  Every computer should have adequate security controls to protect equipment, files and programs.

•  Data recovery controls

-  Provides for the maintenance of back-up files and off-site storage procedures.

•  Monitoring controls

-  Are designed to ensure that CIS controls are working effectively as planned.

APPLICATION CONTROLS

•  The processing of transaction involves three stages : the input, processing, and output stage

•  Controls over input

-  Input controls are designed to provide reasonable assurance that data submitted for processing are complete, properly authorized and accurately translated into machine readable form.

•  Controls over processing

-  Are designed to provide reasonable assurance that input data are processed accurately, and that data are not lost, added, excluded, duplicated or improperly changed

•  Controls over output

-  Are designed to provide reasonable assurance that the results of processing are complete, accurate, and that these outputs are distributed only to the authorized personnel.

TEST OF CONTORL IN CIS

•  Involves evaluating the client’s internal control policies and procedures to determine if they are functioning as intended.

•  Auditors must perform tests of controls if they intended to rely on the client’s internal control.

•  Accordingly, the methods empliyed by the auditor in testing the control may also be affected.

•  In testing application controls, the auditor may either audit around the computer assisted audit techniques.

AUDITING AROUND THE COMPUTER

•  Is similar to testing control in a manual control stucture in that it involves examination of documents and reports to determine the reliability of the system.

•  Input documents and the CIS output. Input data are simply reconciled with the computer output to verify the accurancy of processing.

•  Based on the assumption that if the input reconciles with the output, then the computer program must have processed the transaction accurately.

•  Blackbox approach – visible input documents and detailed output that will enable the auditor to trace individual transactions back and forth.

COMPUTER ASSISTED AUDIT TECHNIQUES

•  When computerized accounting systems perform tasks for which no visible evidence is avaiable, it may be implacticable for the auditor to test manually

•  Computer programs and data which the auditor uses as part of the audit procedures to process data of audit significance in an entity’s info system.

•  Commonly used  :

-  Test data

-  Integrated test facility

-  Parallel simulation

•  Snopshots 

-  Involves taking a picture of a transaction as it flows through the computer systems.

•  System control audit review files 

-  Embedding audit software mdules within an application system to provide continuous monitoring of the system transactions

HOW TO AUDIT CIS - VIDEO 2

Characteristic 

1. Lack of visible transaction trails

2. Consistency of performance

3. Ease of access to data and computer programs

4. Concentration duties

5. System generated transaction

6. Vulnerability of data and program

Objective

To determine whether the client computer programs can correctly handlevalid and invalid conditions as they arise.

COMPUTER ASSOTED DATES TECHNIQUE (CAATs)

1. Test Data- To Test the effectiveness  of the internal control procedures

2. Integrated test facility

3. Parallel simulation – The simultaneous performance of multiple operations provide evidence of the validity of processing

4. Snapshot – Invaves taking a picture of a transaction

5. System control Audit Review Files – Involves embedding audit software modules within an application system to provide contionous monitoring of the system transactions.

INTERNAL CONTROL IN A CIS ENVIRONMENT 

General Controls

1. Organization Controls

2. System development and documentation controls

3. Access controld

4. Data recovery controls

5. Monitoring Controls

Application Controls

1. Controls per input

2. Controls over processing 

3. Controls over output

QUESTIONS:

1. List 2 categories in internal control 

2. List 5 types of CAAT

3. list categories of controls

4. describe general controls and application controls

5.List characteristic of CIS.

6.Explain auditing in a computerized environment based on the video

7..List 3 of characteristic audit CIS and explain

8.Give 2 types of internal control in CIS environment