Auditing

avatar
Created by
GARCIA, Rhodjeanne

Cards (42)

  • Characteristics of Computer Information Systems (CIS)
    • Lack of visible transaction trails
    • Consistency of performance
    • Ease of access to data and computer programs
    • Concentration of duties
    • Systems generated transactions
    • Vulnerability of data and program storage media
  • Lack of visible transaction trails
    In a manual system, it is normally possible to follow a transaction through the system by examining source documents, entity's records, and financial reports. In a CIS environment, data can be entered directly into the computer system without supporting documents. Furthermore, records and files may not be printed and cannot be read without using the computer. The absence of these visible documents, supporting the processing of transactions, makes the examination of evidence more difficult.
  • Consistency of performance
    CIS performs functions exactly as programmed. If the computer is programmed to perform a specific data processing task, it will never get tired of performing the assigned task in exactly the same manner. Because of this capability of the computer to process transactions uniformly, clerical errors that are normally associated with manual processing are eliminated. On the other hand, an incorrect program could be very devastating because it will result to consistently erroneous data processing.
  • Ease of access to data and computer programs
    In a CIS environment, data and computer programs may be accessed and altered by unauthorized persons leaving no visible evidence. It is important, therefore that appropriate controls are incorporated to the system to limit the access to data files and programs only to authorized personnel.
  • Concentration of duties
    Proper segregation of duties is an essential characteristics of a sound internal control system. However, because of the ability of the computer to process data efficiently, there are functions that are normally segregated in manual processing that are combined in a CIS environment. A properly programmed computer, on the other hand, has no tendency or motivation to commit irregularities or conceal its errors. Hence, what appears to be incompatible combination of functions may be combined is a CIS environment without weakening the internal control provided appropriate compensating controls are put in place.
  • Systems generated transactions
    Certain transactions may be initiated by the CIS itself without the need for an input document. For example, interest may be calculated and charged automatically to customers' account balances on the basis pf pre-authorized terms contained in a computer program.
  • Vulnerability of data and program storage media
    In a manual system, the records are written in ink on substantial paper. The only way to lose the information is to lose or to destroy the physical records. The situation is completely different in a CIS environment. The information on the computer can be easily changed, leaving no trace of the original content. This change could happen inadvertently and huge amount of information can be quickly lost.
  • Internal Control in a CIS Environment
    • Many of the control procedures used in manual processing also apply in a CIS environment. Examples of such control procedures include authorization of transactions, proper segregation of duties, and independent checking. The elements of internal control are the same; the computer just changes the methods by which these elements are implemented.
  • Types of internal controls in a CIS environment
    • General controls
    • Application controls
  • General controls
    • Organizational controls
    • Systems development and documentation controls
    • Access controls
    • Data recovery controls
    • Monitoring controls
  • Organizational controls
    There should be a written plan of the organization, with clear assignment of authority and responsibility. In a CIS environment, the plan of an organization for an entity's computer system should include segregation between the user and CIS department, and segregation of duties within the CIS department.
  • Positions and responsibilities in the CIS department
    • CIS Director - Exercises control over the CIS operation
    • Systems Analyst - Designs new systems, evaluates and improves existing systems, and prepares specifications for programmers
    • Programmer - Guided by the specifications of the systems analyst, the programmer writes a program, tests and debugs such programs, and prepares the computer operating instructions
    • Computer Operator - Using the program and detailed operating instructions prepared by the programmer, computer operator operates the computer to process transactions
    • Data entry Operator - Prepares and verifies input data processing
    • Librarian - Maintains custody of systems documentation, programs and files
    • Control Group - Reviews all input procedures, monitors computer processing follow-ups data processing errors, reviews the reasonableness of output, and distributes output to authorized personnel
  • Optimal segregation of duties dictates that each of the above tasks should be assigned to different employees. However, some entities may not have enough resources to maintain a large CIS department
  • In small entities, with limited number of personnel, there are some functions that may be combined. But as a minimum, the functions of systems development and computer operations must be segregated.
  • Systems development and documentation controls
    Software development as well as changes thereof must be approved by the appropriate level of management and the user department. To ensure that computer programs are functioning as designed, the program must be tested and modified, if needed, by the user and CIS department. Moreover, adequate systems documentation must be made in order to facilitate the use of the program as well as changes that may be introduced later into the system.
  • Access controls
    Every computer system should have adequate security controls to protect equipment, files, and programs. Access to the computer should be limited only to operators and other authorized employees. Additionally, appropriate controls, such as the use of passwords, must be adopted in order to limit access to data files and programs only to authorized personnel.
  • Data recovery controls
    Computer files can be easily lost and the loss of these files can be disastrous to an entity. The survival of an entity affected by such disaster depends on its ability to recover the files on a timely basis. A data recovery control provides for the maintenance of the back-up files and off-site storage procedures. Computer files should be copied daily to tape or disks and secured off-site. In the event of disruption, reconstruction of files is achieved by updating the most recent back-up with subsequent transaction data.
  • Monitoring controls
    Monitoring controls are designed to ensure that CIS controls are working effectively as planned. These include periodic evaluation of the adequacy and effectiveness of the overall CIS operations, conducted by persons within or outside the entity.
  • Application controls
    • These are designed to provide reasonable assurance that all transactions are authorized, and that they are processed completely, accurately and in a timely manner. These include control over input, control over processing, and control over output.
  • Control over input
    Input controls are designed to provide reasonable assurance that data are submitted for processing are complete, properly authorized, and accurately translated into machine readable form. Examples include key verification, field checks, validity checks, and self-checking digits.
  • Input controls
    Designed to provide reasonable assurance that data are submitted for processing are complete, properly authorized, and accurately translated into machine readable form
  • Key verification
    Requires data to be entered twice (usually by different operators) to provide assurance that there are no key entry errors committed
  • Field check
    Ensures that the input data agree with the required field format
  • Validity check
    Information needed are compared with valid information in the master file to determine the authenticity of the input
  • Self-checking digit
    A mathematically calculated digit which is usually added to a document number to detect common transpositional errors in data submitted for processing
  • Limit check
    Designed to ensure that data submitted for processing do not exceed a pre-determined limit or a reasonable amount
  • Control totals
    Totals computed based on the data submitted for processing to ensure the completeness of data before and after they are processed
  • Processing controls
    Designed to provide reasonable assurance that input data are processed, and that data are not lost, added, excluded, duplicated or improperly changed
  • Output controls

    Designed to provide reasonable assurance that the results of processing are complete, accurate, and that these outputs are distributed only to authorized personnel
  • The effectiveness of the general CIS controls is essential to the effectiveness of CIS application controls
  • Test of controls in a CIS environment
    Evaluating the client's internal policies and procedures to determine if they are functioning as intended
  • The auditor's objectives and scope of the audit do not change in a CIS environment
  • Auditing around the computer
    Involves examination of documents and reports to determine the reliability of the system, without directly examining the computer program
  • Computer Assisted Audit Techniques (CAATs)

    Computer programs and data which the auditor uses as part of the audit procedures to process data of audit significance contained in entity's information systems
  • Test data
    Auditor prepares fictitious transactions with valid and invalid conditions, enters them into the system, and compares the output to expected results
  • Integrated Test Facility (ITF)

    Auditor creates dummy or fictitious employee or other appropriate unit for testing within the entity's computer system, and processes test data simultaneously with the client data
  • Parallel simulation
    Auditor writes a program to reprocess transactions that were previously processed by the client's program, and compares the results
  • Snapshots
    Auditor embeds audit software routines at different points in the processing logic to capture the images of the transaction as it progresses through the various stages of processing
  • System control audit review files (SCARF)

    Auditor embeds audit software modules within an application system to provide continuous monitoring of the systems transactions
  • In a manual system, it is normally possible to follow a transaction through the system by examining source documents, entity's records, and financial reports.
    Lack of visible transaction trails