Download - Internal Control in a CIS Environment
-
8/11/2019 Internal Control in a CIS Environment
1/25
AUDITING IN A COMPUTERIZED
ENVIRONMENT
-
8/11/2019 Internal Control in a CIS Environment
2/25
-
8/11/2019 Internal Control in a CIS Environment
3/25
Internal Control in a CIS Environment
General Contr ols
These are controls, which relate to the environment withinwhich computer-based accounting systems are developed,
maintained and operated aimed at providing reasonable
assurance that the overall objectives of internal controls
are achieved. These controls could either be manual or
programmed.
Appl icat ion Contro ls
-
8/11/2019 Internal Control in a CIS Environment
4/25
1. Organizational Controls
Segregation between the CIS department and
user department
- CIS department must be independent of all departments
within the entity that provide input data or that use outputgenerated by the CIS.
Segregation of duties within the CIS department
- Functions within the CIS department should be properlysegregated for good organizational controls.
-
8/11/2019 Internal Control in a CIS Environment
5/25
CIS Director
OperationsOther
Functions
Systems
Development
Systems
Analyst
ProgrammerData Entry
Operator
Computer
Operator
Control
Group
Librarian
-
8/11/2019 Internal Control in a CIS Environment
6/25
Position Primary Responsibilities
CIS Director Exercise Control over the CIS Department
Systems Analyst Designs new systems, evaluates and improves existingsystems, and prepares specifications for programmers
Programmer Guided by the specifications of the systems analyst, the
programmer writes a program, tests and debugs such
programs, and prepares the computer operating
instructions.
Computer Operator Using the program and detailed operating instructions
prepared by the programmer, computer operator operates
the computer to process transactions
Data Entry Operator Prepares and verify input data for processing.
Librarian Maintains custody of systems documentations, programs
and files.
Control Group Reviews all input procedures, monitors computer
processing, follows-up data processing errors, reviews thereasonableness of output, and dustributes output to
-
8/11/2019 Internal Control in a CIS Environment
7/25
2. Systems Development and Documentation Controls
Software development as well as changes thereof must be
approved by the appropriate level of management and the userdepartment.must be TESTED and MODIFIED
3. Access Controls
Every computer system should have adequate securitycontrols to protect equipment, files and programs.
4. Data Recovery Controls
Data recovery controls provides for the maintenance of back
up files and off-site storage procedures.
Grand-fath er, father, so n - a practice that requires an entity
to keep the twomost recent generation of master files andtransaction files
-
8/11/2019 Internal Control in a CIS Environment
8/25
5. Monitoring Controls
Monitoring controls are designed to ensure that CIS controls
are working effectively as planned.
-
8/11/2019 Internal Control in a CIS Environment
9/25
Application Controls
Application controls are those policies and procedures that relateto the specific use of the system. These are designed to provide
reasonable assurance that all transactions are authorized, and
that they are processed completely, accurately translated into
machine readable form.
-
8/11/2019 Internal Control in a CIS Environment
10/25
1. Controls over input
Input controls are designed to provide reasonable assurance
that data submitted for processing are complete, properly
authorized and accurately translated into machine readable
form.Examples of input controls:
Key verification
-Requires data to be entered twice to provide assurance
that there are no key entry errors committed.
Field Disk
- This ensures that the input data agree with the required field
format.Validity Check
- Information entered are compared with the valid
information in the master file to determine the authenticity
of the input.
-
8/11/2019 Internal Control in a CIS Environment
11/25
Input controls are designed to provide reasonable assurance
that data submitted for processing are complete, properly
authorized and accurately translated into machine readable
form.Examples of input controls:
Self-checking digit
- This is a mathematically calculated digit which I s usuallyadded to a document number to detect common
transpositional errors in data submitted for processing.
Limit Check
- Designed to ensure that data submitted for processing donot exceed a pre-determined limit or a reasonable amount.
1. Controls over input
-
8/11/2019 Internal Control in a CIS Environment
12/25
1. Controls over input
Input controls are designed to provide reasonable assurance
that data submitted for processing are complete, properly
authorized and accurately translated into machine readable
form.Examplesof input controls:
Control totals- These are totals computed based on the data submitted
for processing. Control totals ensure the completeness of
data before and after the are processed.
Financial totalsHash totals
Record counts
-
8/11/2019 Internal Control in a CIS Environment
13/25
-
8/11/2019 Internal Control in a CIS Environment
14/25
2. Controls over processing
Processing controls are designed to provide reasonable assurance that
input data are processed accurately, and that data are not lost, added,
excluded, duplicated or improperly changed.
3. Controls over output
Output controls are designed to provide reasonable assurance that the results
of processing are complete, accurate and that these output are distributed
only to authorized personnel.
-
8/11/2019 Internal Control in a CIS Environment
15/25
-
8/11/2019 Internal Control in a CIS Environment
16/25
Auditing Around the Computer
-
8/11/2019 Internal Control in a CIS Environment
17/25
Auditing Through Computers
This approach de-emphasizes testingof records and focuses on the
examination of the processing system
to enhance the probability of systemgenerated records being accurate.
-
8/11/2019 Internal Control in a CIS Environment
18/25
-
8/11/2019 Internal Control in a CIS Environment
19/25
-
8/11/2019 Internal Control in a CIS Environment
20/25
INTEGRATED TEST FACILITY (ITF)
When using this technique, the auditor creates dummy or fictitious
employee or other appropriate unit for testing within the entitys
computer system.
Auditors Test
DataClients Data
Processed
using clients
program
Output Compare
Manually
Auditors
Expected
Output
-
8/11/2019 Internal Control in a CIS Environment
21/25
PARALLEL SIMULATION
- Requires the auditor to write a program that simulates key features or
processes of the program under review.
Clients Data Clients Data
Processed
using clients
program
Processed
using clients
program
Output OutputCompare
Manually
-
8/11/2019 Internal Control in a CIS Environment
22/25
PARALLEL SIMULATION
Parallel simulation can be accomplished by using:
Generalized audit software
Consists generally available computer packages which have been
designed to perform common audit tasks such as performing or verifying
calculations, summarizing and totaling files, and reporting in a format
specified by the auditor.
Purpose-written programs
Designed to perform audit tasks in specific circumstances
-
8/11/2019 Internal Control in a CIS Environment
23/25
Advantages of CAATs
CAATs allow the auditor to:
Independently access the data stored on a computer systemwithout dependence on the client;
Test the reliability of client software, i.e. the IT application
controls (the results of which can then be used to assess control
risk and design further audit procedures); Increase the accuracy of audit tests; and
Perform audit tests more efficiently, which in the long-term will
result in a more cost effective audit.
-
8/11/2019 Internal Control in a CIS Environment
24/25
Disadvantages of CAATs
CAATs can be expensive and time consuming to set up, the software
must either be purchased or designed (in which case specialist IT staffwill be needed);
Client permission and cooperation may be difficult to obtain;
Potential incompatibility with the client's computer system;
The audit team may not have sufficient IT skills and knowledge to
create the complex data extracts and programming required;
The audit team may not have the knowledge or training needed to
understand the results of the CAATs; and
Data may be corrupted or lost during the application of CAATs.
-
8/11/2019 Internal Control in a CIS Environment
25/25
Other CAATs
Snapshots- this technique involves taking apicture of a transaction as it flows
through the computer systems. Systems control audit review files
(SCARF)
- This involves embedding auditsoftware modules within an applicationsystem to provide continuousmonitoring of the systems
transactions