computerised information system (cis)

7/26/2019 Computerised Information System (CIS)

1/41

NAME IC MATRIC CARD

ANIS FARHANA BINTI MOHD FANSURI 940825-07-5526 A13HA0006

ROMALINA SYAFIQA BINTI ROSLI 940124-11-5302 A13HA0150

NURUL HISYAFIKA BINTI OTHMAN 940117-03-6024 A13HA0135

FELISHA ONAH A!" B# RAANDRA "RAKASH 920315-01-5824 A14HA0025

NORKHA$MA%ANI BT# MIN 910611-11-5062 A13HA0097

ADILAH BINTI BUAN& 940108-08-5908 A13HA0001

NURUL SHAHIRA BINTI BAHARUDIN 941123-01-5902 A13HA0141

COMPUTERISED

INFORMATION SYSTEM(CIS)


2/41

AUDIT OBJECTIVE AND SCOPE OF WORK IN

COMPUTERIZED ENVIRONMENT

Audit objective the audit objective will not change, as the auditor mustobtain sufficient appropriate audit evidence to

draw reasonable conclusions on which to base the audit opinion.

The overall objective and scope of an audit does not change in a CIS environment.

Accordingly, a CIS environment may affect

a. the procedures followed by the auditors in obtaining a sufficient understanding of the

accounting and internal control systems!

b. the consideration of inherent ris" and control ris" through which the auditors arrive atthe ris" assessment! and

c. the auditors# design and performance of tests of control and substantive procedures

appropriate to meet the audit objective.

$Auditing in a computer environment , C%A, &uly '()*+

Statement f Auditing Standards -)( Auditing in a Computer Information System nvironment $Issued &anuary )//0! revised &anuary '((1


3/41

INTERNAL

CONTROL REDUCEIT RISK


4/41

nternal

control

reduce T

risks

General

control

Application

control

Administration o

t!" IT #n$tion

S"%aration o IT

d#ti"s

S&st"m

d"'"(o%m"nt

P!&si$a( and on(in"

s"$#rit&Ba$)#% and

$ontin*"n$&

%(annin*

+ard,ar" $ontro(

O#t%#t Contro(s

Pro$"ssin*Contro(s

In%#t Contro(s


5/41

The boar o! irector"# an #enior$ana%e$ent attit'e abo't IT

eect the perceie i$portance o!IT *ith an or%ani+ation,

IT #teerin% co$$ittee to help

$onitor the or%ani+ation IT nee#

Se%re%ation o! 'tie# (*ellcontrolle or%ani+ation re#pon b-#eparatin% .e-# 'tie# *ith IT)i, IT $ana%e$ent ii, S-#te$eelop$ent

iii, Operation i, Data control

Separation o!IT 'tie#

A$ini#trationo! IT !'nction


6/41

Purchasing software or developing

in house software that meet theorganization need.Testing all software to make surethe new software is compatible with

existing hardware & software anddetermine the ability of software tohandle the transaction.i. Pilot testing : testing at one

department by one departmentii. Parallel testing : the old & new

system work simultaneously in alllocation.

System

development


7/41

Physical and online

security

Physical control over computer and restriction t onlinesoftware and related data le decrease the risk ofunauthorized change to program and improper use of

program and data les.i. Physical control : security camera badge!entry

system keypad entrance security personnelii. "nline access control : proper user #$s password

control access

Backup and

contingency planning

%attery backup or on!site generator"!site storage of critical software and data le or outsourcing to rm that specialized in secure data storage.


8/41

Hardware

control

%uild into computer e'uipment bymanufacturer to detect and report

e'uipment failure


9/41

APPLICATION

CONTROLS


10/41A

PPICA

TIONCONTR

OLS

INPUT CONTROLS

PROCESSIN- CONTROLS

OUTPUT CONTROLS


11/41

Application controls are those controls that pertain tothe scope of individual processes or application systems

$esign for each software application to satisfy the six

transaction!related audit ob(ectives.)existence completenessaccuracy classication timing and posting & summarization*

They include data edits separation of business functionsbalancing of processing totals transaction logging anderror reporting

APPLICATION CONTROL


12/41

$one by client

personnel +ectiveness

depends oncompetency of

person.

MANUALCONTROLS

$one by computers ,ead to consistent

operation controlAUTOMATED

CONTROLS


13/41

INPUT CONTROLSTO ENSURE T/E INFORMATION ENTERED

INTO A COMPUTER IS AUT/ORI0ED1ACCURATE AND COMP2ETE,

BATC+ INPUT CONTROLS

FINANCIAL

TOTAL+AS+

TOTAL

RECORDTOTAL


14/41

PROCESSIN- CONTROLS

TO PREVENT .DETECT AND CORRECT

PROCESSIN- ERRORS W+ILE

TRANSACTION DATA ARE

PROCESSED/


15/41

T-P+ "P/"0+11#2

30"2T/",1

DATAREASONABLENESS

TEST

ARIT+METICACCURAC0 TEST

SE1UENCE TEST

VALIDATION TESTCOMPLETENESS

TEST


16/41

OUTPUT CONTROLS2 ocus on detecting errors after processing is

completed2 +xample of controls :

! reconcile computer!produced output tomanual control total

! 0ompare a sample of transaction outputto input source document ! 4erify dates and time of processing to

identify any out! of ! se'uence processing


17/41

AUDITOR EVALUATION ON

INTERNAL CONTROL S0STEM

2 Internal control2 4ital to make our business more smoothly e5ciently and

eectively be done

2 Ai$#2 To protect business asset2 6ore to prevention rather than detection

2The well designed internal control system includes:

2 0ontrol environment ri#. a##e##$ent and test of thecontrol activities


18/41

ASSESSIN- RISK OF

INFORMATION S0STEM/#17 T" 89$9/+ 92$ $9T9

/+$;0+$ 9;$#T T/9#,

2++$ "/ +


19/41

RISK TO +ADWARE AND DATA

/eliance on the functioningcapabilities of hardware and

software

1ystematic versus random error

;nauthorized access

,oss of data


20/41

REDUCED AUDIT TRAIL

La$) o traditiona( a#t!ori2ation

Visi3i(it& o A#dit trai(

R"d#$"d !#man in'o('"m"nt

AUDIT TRAIL 4

1ystem that traces the detailedtransaction relating to any itemin accounting record


21/41


22/41

AUDITIN- AROUND

AND T+ROU-+T+E COMPUTER


23/41


24/41

9uditor will bypass computer system and will not check forexistence and>or operating eectiveness of controls in processingdata therefore auditor may use any one or combination of the

following methods:?. "utput oriented method@. #nput oriented method


25/41

INPUT ORIENTED MET+OD

2 1ample select source documents )input* that are fed in tothe computer system for processing and auditorindependently processes the inputs using his owncomputer system or software and then compare theoutputs generated by auditor=s computer system withthe output generated by the client=s computer system to

conrm accuracy completeness and other assertions.

2 9uditor=s processing may be manually done withoutgetting any assistance of the computer.

2 or example client=s system reports that cash bookbalance reconciles with bank balance as per bankstatement. 9uditor may conduct his own reconciliation toconrm whether it is true.


26/41

OUTPUT ORIENTED MET+OD

2 1ample select the information generated by thecomputer system )output* and compare it with auditor=s

ideal system or information gathered from other sources

or evidence collected by the auditor by the application ofother audit procedures.

2 or example comparing receivables balances with thestatement of accounts received from customers or

comparing stock records with reports of inventory counts


27/41

AUDITIN- T+ROU-+ T+E

COMPUTER2 4arious steps taken by auditors to evaluate client=s

software and hardware to determine the reliabilities of

operation

2 9uditor use A categories of testing approaches as follow2 Test $ata 9pproach2 Parallel 1imulation

2 +mbedded 9udit 6odule 9pproach


28/41

TEST DATA APPROAC+

2 9uditor process their own test data using the client=scomputer system and application program to determine

whether the automated controls correctly process the

test data.

2 0onsiderations:2 Test should include all relevant conditions that auditor

wants to test.

2 9pplication programs tested by auditor=s test data must bethe same as those the client used.

2 The test data 6;1T be eliminates from client=s records.


29/41

PARALLEL SIMULATION

2 9uditor are using auditor controlled software to do thesame operation that the client=s software does using the

same data les. )+xp: 3eneralized 9udit 1oftware )391**

2 391 used to test automated controls.

2 3as used to varify client account balances.


30/41


31/41

EMBEDDED AUDIT MODULE

APPROAC+2 +mbedded audit modules are sections of application

program code that collect transaction data for the

auditor.2 9uditors insert an audit module in the client=s application

system to identify specic types of transaction.

2 +xample: 9ll transactions aecting a specic account that

are in excess of /6BCC CCC are automatically selected.


32/41

COMPUTER SSISTED UDIT

TEC+NI1UES

7C TS8

A#dit sot,ar" T"st data

+mbedded auditfacilities )+9s*9pplicationprogramexamination

Ot!"r t"$!ni9#"s

Packaged programsPurpose writtenprograms+n'uiry programs

9udit testdata#ntegratedtest facilities


33/41

2 0aat=s are computer programs and data thatthe auditor uses as part of the audit proceduresto process data of audit signicance containedin a client computer information system )0#1*

CAATs


34/41

AUDIT SOFTWARE2 9udit software is a general term used to parsing

computer programs designed to carry out tests

of control and>or substantive procedures. 1uch

programs may be classied as:


35/41

23, Pac.a%e pro%ra$#2The program are not Dclient specic= because it

will apply at all client that audit engage. Theseprogram also consist of pre!prepared generalised

programs used by auditors. They may be used tocarry out numerous audit tasks for example toselect a sample in supplier lists.


36/41

:

, P'rpo#e *ritten pro%ra$#2These programs are function as tests of control orsubstantive procedures and usually for Dclientspecic=.

20lient can buy or developed audit software but inorder to develop or buy the software there have thethings that should considerE they need to ensure

that specied programs are appropriate for aclient=s system and the needs of the audit.

2Typically they may be used to re!performcomputerised control procedures )for example costof sales calculations* or perhaps to carry out an

aged analysis of trade receivable )debtor* balances.


37/41

24, En5'ir- pro%ra$#2These programs are normally focusing to the

client=s accounting systemE however this programmay be adapted for audit purpose as well.

2 or example where a system provides for theroutine reporting on a Dmonthly= basis ofproduction of output such as nish goods work inprocess and the defect item this facility may beutilised by the auditor when auditing theinventories records in the client=s nancialstatements.


38/41

TEST DATA3, A'it te#t ata

2 9n application program used by an audit client normally will betest by audit test data for the auditor know whether theapplication used by the client are exist and eective to beused.

2 The results of processing are then compared to the auditor=sresult. The comparison been made is to determine whethercontrols are operating e5ciently and systems= ob(ectivenessare being achieved.

2 or example when received of goods from the supplier onlytransaction=s invoice with the mark Daccepted= will be processed

by the system. 0learly if transactions processed do notproduce the expected results in output the auditor will need toconsider the need for increased substantive procedures in thearea being reviewed.


39/41

26, Inte%rate te#t !acilitie#2To avoid the risk of corrupting a client=s account system

by processing test data with the client=s other Dlive= datasuch as third party auditors may instigate special Dtestdata only= processing runs for audit test data.

2 Through this method the auditor does not have totalassurance that the test data is being processed in a

similar fashion to the client=s live data. The auditor needsapproval from client to establish an integrated testfacility within the accounting system.

2 This entails the establishment of a dummy unit forexample a dummy supplier account against which the

auditor=s test data is processed during normal processingruns.


40/41

OT+ER TEC+NI1UES3, E$bee a'it !acilitie# (EAF#)

2 #n order to auditor embedded to the client=s applicationsoftware through this techni'ue re'uires the auditor=s ownprogram code such that verication procedures can becarried out as re'uired on data being processed.

2 or example tests of control may include thereperformance of specic input validation checks F choosetransactions may be Dtagged= and followed through thesystem and check whether the transaction have been

applied the controls and processes by the computer system.

Through the +9s the results of testing should record in aspecial secure le for subse'uent review by the auditor.


41/41

26, Application pro%ra$ e7a$ination2 hen determining the extent to which they may rely

on application controls auditors need to consider theextent to which specied controls have beenimplemented correctly. or example where systemamendments have occurred during an accountingperiod the auditor would need assurance as to theexistence of necessary controls both before and afterthe amendment.

computerised information system (cis)

Documents