Anda di halaman 1dari 11

Auditing in CIS Environment

1.What is the scope/requirement of audit in CIS

1.High speed: In CIS information is generated quickly.
Complex reports with specific format are generated
without much loss of time. Thereby, leaving time for
auditor to expand his substantive procedures for
collection of more evidence in support of their
2.Low clerical error: Computer operations being
systematic and sequential considerably reduce the
chances of errors.
3.Concentration of duties: Computer systems can
perform more than one set of activities at a time.
Thus, concentrating the duties of several personnel
at a time.
4.Shifting of internal control base:
A Application System Development Control : System
development control should be designed to provide
reasonable assurance that system is developed in
authorized and efficient manner. It establishes the
control over the process of:
Testing, conversion, implementation and
documentation of new system.
Changes to application system
Access to system documentation
Acquisition of application system from third

B System software control: System software control

should be designed to provide reasonable assurance
that system software is acquired or developed in an
authorized and efficient manner including:
Authorization, testing, implementation and
documentation of new system software
Access to system software and documentation by
authorized personnel only.
5.Disappearance of manual reasonableness: The shift
from physical system to CIS environment deletes or
modifies certain stages to create focused computer
system. In such creative effort, manual
reasonableness may be missing.
6.Impact of poor system: If new system falls short of
expected standards of performance, it may do harm
to business operations than good. Adequate controls
are must for switching manual operations to
computerized operations.
7.Exception reporting: It is a part of Management
Information system. In Exception reporting the value
of variables are reported if it lies outside pre
determined normal range. Its main feature is only
effective information must be provided.
8.Man Machine Interface: Every organization focus to
provide information to their users and in most
uncluttered way. MM interface makes the system
interactive for human use.
2.What is the impact of changing from manual to
electronic medium on business processes?

1.Primary changes
i. Process of recording transactions: In manual
system transactions are recorded sequentially in
different books whereas in CIS environment all
three processes Prime book of entry, Ledger and
final accounts are carried simultaneously.
ii. Form of accounting records: Accounting records
prepared under CIS Environment are much more
radical than manual records.
iii. Use of accounting codes: In CIS environment, alpha
numeric codes are extensively used to represent
names and description. Both accountant and
auditor must get themselves familiarized with such
iv. Use of loose leaf stationeries: In CIS magnetic
tapes, floppy disks, diskettes replace traditional
records and loose leaf stationery replaces bound
hand written records. Proper control over such are
must to prevent unauthorized destruction and
v. Absence of link between transactions: There is
almost loss of audit trail under CIS working because
of absence of cross reference between basic
documents, primary records and principal records
making difficult for the auditors to trace the
2.Recent changes:
i. Unintentional errors may creep into system due to
inexperienced persons.
ii. Improper use of DSS may have serious


Use of sophisticated audit software is necessary.

Auditors participation in SDLC process is
Data communication and networking had added a
new risk.
The move towards paperless EDI would eliminate
much of traditional audit trail. Thereby bringing
change in nature of audit evidence.

3.What is Audit approach in CIS environment?

Answer: It is based on knowledge and experience of
auditors in handling computerized data. It could be:
Black box approach: Auditing around the
The focus is on input and output and ignores the
specifics of how computer process the data. If input
matches the output, it is presumed that processing of
all transactions is correct.
Its advantage is it is easy to comprehend because it
does not require in depth study of application
I. Unless controls are tested, assertions cannot be
made about underlying processes.
II. In some computer systems immediate printouts
may not be available to make required
White box approach: Auditing through the
The focus of audit is on following controls:
I. Input controls
II. Processing control
III. Storage control


Output control
Data transmission control

For this approach the auditor needs to have sufficient

knowledge of computers to plan, supervise and review
the work performed. There is use of audit software.
Other areas of auditing include:
1.Controls over prevention of unauthorized access to
computer and database.
2.Segregations of functions among staff.
4 What are different types of computer systems?

System configuration
Processing system
System configuration



Large computer systems: In it processing task of

multiple users is performed on a single centralized
computer. All inputs move directly from the
terminal to central processors and after processing
goes back to users.
Stand alone personal computers: It is neither
connected nor does it communicate with another
computer system. Computing is done by an
individual. All input data and its processing is on
machine itself. Most of the business accounting is
done on personal computers.
Network computing system: A group of
interconnected system sharing services and

interacts via shared communication links. Network

share hardware and software resources.
Hardware resources include:
a) Client server: Client server is dedicated to
perform specific tasks to support other
computers on the network.
b) File server: It stores, retrieve and move data.
c)Message server: they provide variety of
communication methods which take form of
graphics, digital audio and video, etc.
d) Data base server: Most of the data base is
client server based. It provides powerful facility
to process data.
e) Print server: It manages print services on the
Classification of network on the basis of area covered.
Software resources include:
Local Area Network: In LAN two or more
computers are connected in a room or office through
a cable. One of the computer acts as server and
stores programs and data files and these resources
are accessed by other computers forming part of
LAN. Through LAN programs, data and physical
resources can also be shared.
Wide Area Network: Network that employ public
telecommunications facilities to provide users with
access to resources of centrally located computers.
When LAN extends in the metropolitan area using the
WAN technology, it is called Metropolitan Area
c)Distributed data processing: It consists of hardware
located at least two distinct sites connected

electronically by telecommunications where

processing and data storage occurs at more than one
site. The main computer and decentralized units
communicate via communication links.
Electronic Data Interchange (EDI): The transfer of
electronic data from one organization computer
system to anothers. The data being structured in a
commonly agreed format so that it is directly usable
by receiving organization computer system.
Benefits of EDI system:
Speed of inter organization transactions is
Paper work in transaction is eliminated.
c)Cost of transaction processing is reduced as
much of human intervention is removed.
Reduced human involvement reduces errors.
Processing System

Batch Processing
i. Transactions are accumulated and processed in
ii. Count totals are derived to ensure complete and
accurate processing.
iii. 2 types of files are maintained: Batch file and
Master file
iv. Updating dont take place quickly as in OLRT
v. This is a simple system but now a days rarely
found due to availability of advanced and quick
II. Online Real Time Processing

Effects of computers on Internal Control

1.Separation of duties: In manual system different
persons executes different business process
where as computer can perform varied jobs at a
time. Some programs allow user to change data
entry without providing record of such change. It
become difficult to determine whether
incompatible function have been performed by
system users.
2.Delegation of authority and responsibility: It is
difficult to establish clear line of authority as
some of the resources have been shared among
multiple users. When multiple users have access
data integrity is violated.
3.System of authorization: There are two kinds of
authorization policies:
General authorization complying with
companies policies
Specific authorization for individual
transactions. In CIS authorization procedures
are embedded within computer programs so,
auditor is required to examine work of
employees as well as veracity of program
4.Adequate documents and records: In adequately
maintained records in CIS environment, audit
trails are more extensive as compared to manual
system. However all computer systems are not
well designed to maintain record at each stage.
This creates serious control programs.
5.Physical control over assets and records: In CIS
information system assets and records are

concentrated in a single site. This may increase

the losses that arise from computer abuse or
6.Management supervision: Supervisionery controls
are to be in build in computers. Activities can be
electronically controlled by mangers by
periodically access the audit trail of employees
activities and examine whether used for
authorized actions.
7.Independent checks on performance:
8.Periodic reconciliation of assets with records: In
CIS software is used to prepare data for
comparison purposes. Any unauthorized
modifications caused to the program or the data
file will not discover the irregularity because
traditional separation of duties no longer applies
to the data being prepared for comparison
Effects of computers on auditing
The major effect of computers on auditing is regarding
collection and evaluation of evidence.
1.Changes to evidence collection: New controls in CIS
environment are:
Accurate and complete operations of disk
drive require hardware controls.
System development controls over
procedures for testing programs.
c)Auditors are required to keep themselves update
with new evolving technology with respect to
hardware and software or else it will become

difficult to evaluate the reliability of

communication network.
Auditors are required to keep themselves
updated with audit softwares for collection of
evidences in CIS environment.
2.Changes to evidence evaluation: Auditors need to
Whether control is functioning reliably or
multi functioning
Tracing the control strength or weakness
through the system. As in shared data
environment single input transactions update
multiple data item, which is difficult to
c)Consequences of error in computer system are a
serious matter as cost to correct and rerun the
program may be very high. Thus auditors are
required to ensure that these controls are
sufficient and are in position and functioning.
Consideration of control attributes by the auditors
a) Whether control is in place and functioning as
b) General control verses specific control with
respect to types of errors and irregularities
General control covers wide variety of errors and
irregularities and they are more robust. Whereas
specific controls cover less variety of activities.
Eg: application sub system.

c)Whether control acts to prevent, detect or

correct errors.
Preventive controls: which stop errors from
Detective controls: which identify errors after
they occur
Corrective controls: which remove the effect
of errors after they have been identified.
Auditors expect higher intensity of preventive
controls at early stages of processing and more
detective and corrective controls at later stage of
system auditing.
d) Number of components used to execute the
control. Multi component controls are more
complex and more error prone but they are
used to handle complex errors and