AUDITING IN

COMPUTERIZED
ENVIRONMENT

PRE
SEN
TED
Ma,
BY:
Bob
b
y
M ir a
Loui
nda,
s A.
Cyro
Nava
nn M
rro,
.
C
o
BS A
51KB nrad Jo
hn B
1
.

Computer Information System

(CIS)
A computer information system is a
system composed of people and
computers that processes or
interprets information. The term is
also sometimes used in more
restricted senses to refer to only the
software
used
to
run
a
computerized database or to refer
to only a computer system.

Types of Computer-Based
Information Systems
1. Centralized Data Processing
system
2. Distributed Data Processing
system
3. Online Real
4. Batch processing system
5. Multi-user system
6. Flat file system
7. Electronic Commerce System

Centralized Data Processing

System
the data processing group controls
the recording of transactions at a
central location utilizing one or more
large computers.

Distributed Data Processing

System
consists of several data
processing units within the entity,
each under the control of end
users.

Online Real-time Processing System

(OLRT)
transactions are entered as they
occur, and are processed as they
are entered. Transactions are
typically entered through terminals
and processed electronically.

Batch Processing System

transactions are accumulated and
are processed in groups.
the method of data entry for early
computers was using punched
cards, which were handled in
batches, and hence the term batch
processing.
each piece of work for a batch
processing system is called a job.

Multi-user System
in a multi-user system, functional
and geographical units share a
single operating system housed in a
central location.

Flat-file System
users own their own data; that is,
the user has exclusive access to
and use of his or her set of data.
a system in which every file in an
operating system is at the same
directory level.

Electronic Commerce System

involves the trading of goods and
services through the use of
computers.
Example is Electronic Data
Interchange, which is the computerto-computer exchange of
intercompany business documents
in a public standard format.

Characteristics of CIS
Lack of visible transaction trails
Consistency of performance
Ease of access to data and
computer program
Concentration of duties
Systems generated transactions
Vulnerability of data and program
storage

Scope of Audit in a CIS Environment

High speed in a CIS environment,
information can be generated quickly.
Even complex reports in specific report
format can be generated for audit
purposes without much loss of time.
Low clerical errors computerized
operation being a systematic and
sequential programmed course of action
the changes of commission of error is
considerably reduced and is highly
minimized.

 Disappearance of manual reasonableness the shift

from traditional manual information processing
environment to computerized information systems
environment needs a detailed analysis of the physical
system for transformation into a logical platform. In
creating such logical models, many stages required
under the manual process are either deleted or
managed to create a focused computer system. In such
creative effort, the manual reasonableness may be
missing.
Impact of poor system if system analysis and
designs fall short of expected performance, a CIS
environment may do more harm to integrated business
operations than good. Thus, care has to be taken in
adopting manual operations switch-over to computerized
operations for ensuring performance quality standards.

 Man-machine interface / humancomputer interaction man-machine

interface ensures maximum effectiveness
of the information system. Organization
concentrated on presenting information
that is required by the user and to
present the information in the most
uncluttered way. It is required to
determine what information was
necessary to achieve through a careful
analysis of the job or task for which the
user needed the information.

Internal Control in a CIS

Environment
Many of the control procedures used
in manual processing also apply in a
CIS environment.
Examples are:
Authorization of transactions
Proper segregation of duties
Independent checking

When computer processing is

used in significant accounting
applications, internal control can
be classified into two types:
General controls
Application controls

General Controls
control policies and procedures
that relate to the overall CIS.
Organizational controls
Systems development and
documentation controls
Access controls
Data recovery controls
Monitoring controls

Application Controls
policies and procedures
that relate to specific use of
the system.
Controls over input
Controls over processing
Controls over output

Examples of Input Controls

Key verification requires data to be entered twice
(usually by different operators) to provide assurance
that there are no key entry errors committed.
Field check this ensures that the input data agree
with the required field format.
Validity check information entered are compared
with valid information in the master file to determine
the authenticity of the input.
Self-checking digit this is a mathematically
calculated digit which is usually added to a
document number to detect a common
transpositional errors in data submitted for
processing.

 Limit check limit check or reasonable

check is designed to ensure that the data
submitted for processing do not exceed a
predetermined limit or reasonable
amount.
Control totals these are the totals
computed based on the data submitted
for processing. These ensure the
completeness of data before and after
they are processed. Control totals
include financial totals, hash totals, and
record count.

 Note:
The effectiveness of the general CIS
control is essential to the effectiveness
of application CIS control. Thus, it may
be more efficient to review the design of
the general controls first before
reviewing the application controls.

Test of Control in a CIS

Environment
Testing of General Control
Testing of Application Control

Understand the system by observing

the system, asking questions of client
personnel, and studying the system
and program documentation.

Testing of General Control

Understand the system by

observing the system, asking
questions of client personnel, and
studying the system and program
documentation.

After such, evaluation and testing of

general controls will be made. These
includes
Organizational controls
Systems development and documentation
controls
Access controls
Data recovery controls
Monitoring controls

Testing of Application
Control
Audit around the computer/
Black box approach
Audit through the computer/
White Box Approach

Audit Around the Computer/

Black Box Approach
the auditor concentrates on input
and output and ignores the
specifics of how computer process
the data or transactions. If input
matches the output, the auditor
assumes that the processing of
transaction/data must have been
correct.

Computer
(Black Box)

Document
Document
with error
Document
Source Documents

Manual Verification

Document
Document
with error
Document
Output Reports

Audit through the Computer/

White Box Approach
involves direct testing of the
programmed controls used in
processing specific applications.
Consequently, auditor will have to
audit directly the clients computer
program using CAATs.

Computer-Assisted Auditor
Techniques
1. Test Data Approach
2. Integrated Test Facility
Approach(ITF)
3. Parallel Simulation
4. Tagging and Tracing (Snapshots)
5. Systems Control Audit Review
File (SCARF)
6. Surprise Audit

Test Data Approach

Auditors
Test data
Processe
d using
clients
program

Output
Master
File

Comp
are
Manua
lly

Auditor
s
expecte
d
output

Integrated Test Facility Approach(ITF)

Clients

Auditors
Test Data

Data

Processed using
clients program

Computer Results

should
match

Auditors
Predetermined
Results

Parallel Simulation
Clients

Clients

Data

Data

Processed
using clients
program

Processed
using auditors
program

Output
Master File

Compare
manually

Discrepancies

Output
Master File

Tagging and Tracing

(Snapshots)
This technique involves taking a
picture of a transaction as it flows
through the computer systems. Audit
software routines are embedded at a
different points in the processing
logic to capture the images of the
transaction as it progresses through
the various stage of processing.

Systems Control Audit Review

File (SCARF)
This provides embedding audit
software modules within an
application system to provide
continuous monitoring of the
systems transaction.

Surprise Audit
In using this technique, the
auditor, on an unannounced
basis, during neither the
scheduled interim nor the final
audit phase, requests duplicate
copies of client programs at the
conclusion of specific
processing runs.

Effect of Computers on Internal Control

Segregation of Duties
Delegation of Authority and
Responsibility
Competent and Trustworthy
Personnel
System of Authorization
Physical Control over Assets and
Records
Adequate Management Supervision

Effect of Computers on Auditing

Changes to Evidence Collection
Changes to Evidence
Evaluation

THE
END