internal control in a cis environment

8/11/2019 Internal Control in a CIS Environment

1/25

AUDITING IN A COMPUTERIZED

ENVIRONMENT


2/25


3/25

Internal Control in a CIS Environment

General Contr ols

These are controls, which relate to the environment withinwhich computer-based accounting systems are developed,

maintained and operated aimed at providing reasonable

assurance that the overall objectives of internal controls

are achieved. These controls could either be manual or

programmed.

Appl icat ion Contro ls


4/25

1. Organizational Controls

Segregation between the CIS department and

user department

- CIS department must be independent of all departments

within the entity that provide input data or that use outputgenerated by the CIS.

Segregation of duties within the CIS department

- Functions within the CIS department should be properlysegregated for good organizational controls.


5/25

CIS Director

OperationsOther

Functions

Systems

Development

Systems

Analyst

ProgrammerData Entry

Operator

Computer

Operator

Control

Group

Librarian


6/25

Position Primary Responsibilities

CIS Director Exercise Control over the CIS Department

Systems Analyst Designs new systems, evaluates and improves existingsystems, and prepares specifications for programmers

Programmer Guided by the specifications of the systems analyst, the

programmer writes a program, tests and debugs such

programs, and prepares the computer operating

instructions.

Computer Operator Using the program and detailed operating instructions

prepared by the programmer, computer operator operates

the computer to process transactions

Data Entry Operator Prepares and verify input data for processing.

Librarian Maintains custody of systems documentations, programs

and files.

Control Group Reviews all input procedures, monitors computer

processing, follows-up data processing errors, reviews thereasonableness of output, and dustributes output to


7/25

2. Systems Development and Documentation Controls

Software development as well as changes thereof must be

approved by the appropriate level of management and the userdepartment.must be TESTED and MODIFIED

3. Access Controls

Every computer system should have adequate securitycontrols to protect equipment, files and programs.

4. Data Recovery Controls

Data recovery controls provides for the maintenance of back

up files and off-site storage procedures.

Grand-fath er, father, so n - a practice that requires an entity

to keep the twomost recent generation of master files andtransaction files


8/25

5. Monitoring Controls

Monitoring controls are designed to ensure that CIS controls

are working effectively as planned.


9/25

Application Controls

Application controls are those policies and procedures that relateto the specific use of the system. These are designed to provide

reasonable assurance that all transactions are authorized, and

that they are processed completely, accurately translated into

machine readable form.


10/25

1. Controls over input

Input controls are designed to provide reasonable assurance

that data submitted for processing are complete, properly

authorized and accurately translated into machine readable

form.Examples of input controls:

Key verification

-Requires data to be entered twice to provide assurance

that there are no key entry errors committed.

Field Disk

- This ensures that the input data agree with the required field

format.Validity Check

- Information entered are compared with the valid

information in the master file to determine the authenticity

of the input.


11/25




form.Examples of input controls:

Self-checking digit

- This is a mathematically calculated digit which I s usuallyadded to a document number to detect common

transpositional errors in data submitted for processing.

Limit Check

- Designed to ensure that data submitted for processing donot exceed a pre-determined limit or a reasonable amount.



12/25





form.Examplesof input controls:

Control totals- These are totals computed based on the data submitted

for processing. Control totals ensure the completeness of

data before and after the are processed.

Financial totalsHash totals

Record counts


13/25


14/25

2. Controls over processing

Processing controls are designed to provide reasonable assurance that

input data are processed accurately, and that data are not lost, added,

excluded, duplicated or improperly changed.

3. Controls over output

Output controls are designed to provide reasonable assurance that the results

of processing are complete, accurate and that these output are distributed

only to authorized personnel.


15/25


16/25

Auditing Around the Computer


17/25

Auditing Through Computers

This approach de-emphasizes testingof records and focuses on the

examination of the processing system

to enhance the probability of systemgenerated records being accurate.


18/25


19/25


20/25

INTEGRATED TEST FACILITY (ITF)

When using this technique, the auditor creates dummy or fictitious

employee or other appropriate unit for testing within the entitys

computer system.

Auditors Test

DataClients Data

Processed

using clients

program

Output Compare

Manually

Auditors

Expected

Output


21/25

PARALLEL SIMULATION

- Requires the auditor to write a program that simulates key features or

processes of the program under review.

Clients Data Clients Data

Processed

using clients

program

Processed

using clients

program

Output OutputCompare

Manually


22/25

PARALLEL SIMULATION

Parallel simulation can be accomplished by using:

Generalized audit software

Consists generally available computer packages which have been

designed to perform common audit tasks such as performing or verifying

calculations, summarizing and totaling files, and reporting in a format

specified by the auditor.

Purpose-written programs

Designed to perform audit tasks in specific circumstances


23/25

Advantages of CAATs

CAATs allow the auditor to:

Independently access the data stored on a computer systemwithout dependence on the client;

Test the reliability of client software, i.e. the IT application

controls (the results of which can then be used to assess control

risk and design further audit procedures); Increase the accuracy of audit tests; and

Perform audit tests more efficiently, which in the long-term will

result in a more cost effective audit.


24/25

Disadvantages of CAATs

CAATs can be expensive and time consuming to set up, the software

must either be purchased or designed (in which case specialist IT staffwill be needed);

Client permission and cooperation may be difficult to obtain;

Potential incompatibility with the client's computer system;

The audit team may not have sufficient IT skills and knowledge to

create the complex data extracts and programming required;

The audit team may not have the knowledge or training needed to

understand the results of the CAATs; and

Data may be corrupted or lost during the application of CAATs.


25/25

Other CAATs

Snapshots- this technique involves taking apicture of a transaction as it flows

through the computer systems. Systems control audit review files

(SCARF)

- This involves embedding auditsoftware modules within an applicationsystem to provide continuousmonitoring of the systems

transactions

internal control in a cis environment

Documents