Auditing in a Computer Information Systems (CIS)

An executive information system (EIS) is a decision support system (DSS) used to assist senior
executives in the decision-making process. It does this by providing easy access to important
data needed to achieve strategic goals in an organization.
• Provides top executives with immediate and easy access to information in a highly
interactive format.
• Helps executives monitor business conditions in general and assists in strategic planning
to control and operate the company.
• Is designed to accept data from many different sources; to combine, integrate, and
summarize the data; and to display this data in a format that is easy to understand and
use.

Systems analysis- the process of learning how the current system functions, determining the
needs of users, and developing the logical requirements of a proposed system.
- is a two-step process involving first a survey of the current system and then an analysis
of the user’s needs.
- presents the findings of the analysis and recommendations for the new system.

In a database system, data redundancy is kept to a minimum because the DBMS records the
data once, for use by various application programs. The two important characteristics of a
database system are data sharing and data independence.
• Storage structures are created that make the application programs independent of the
location of the data.
• Because each item in the database has a standard definition, name, and format; and
related items are linked by a system of pointers, the application programs need only to
specify the data name, not the location. It also contains a data definition language that
helps describe each schema and subschema.
• It is the responsibility of the database administrator.
A system that performs relatively uncomplicated processes and produces detailed output of the
client electronic data processing (EDP) systems generally can be audited without examining
or directly testing the EDP computer programs of the system.
General controls
These relate to all or many IT activities and often include organization and management controls,
application systems development and maintenance controls, computer operation controls,
systems software controls, and da- ta entry and program controls.
• Controls over correction of erroneous input data, output distribution, and
authorization of input data are IT application controls.
An important general CIS control is segregation of duties.
• Although some separation of duties common in a manual system may not be feasible in a
CIS environment, some functions should not be combined.
The functions of systems analysts and programmers should not be combined with the functions
of computer operators.
Programmers and systems analysts may be able to effect changes in programs, files, and
controls and should therefore have no access to computer equipment.
 • Systems Analysts need access to edit criteria, source code and user procedures but not
to password identification tables because unauthorized changes can be made.
Computer operators should have access to operator instructions so they can perform their duties
but no opportunity to modify programs and data files, and should not have programming duties
or responsibility for installing new or modifying existing systems.

An auditor should obtain an understanding of the IT system sufficiently to identify and on the
essential control procedures which encompass adequate technical training and proficiency.
CIS application controls include:
1. Controls over input - designed to provide reasonable assurance that:
• Only authorized transactions are submitted for processing.
• All authorized transactions are accurately converted into machine-readable form.
• Incorrect transactions are rejected, corrected, and, if necessary, resubmitted on a timely
basis.
2. Controls over processing and computer data files- designed to provide reasonable assurance
that:
• All transactions are processed as authorized.
• No authorized transactions are omitted.
• No unauthorized transactions are processed.
• Processing errors are identified and corrected on a timely basis.
3. Controls over output - designed to provide reasonable assurance that:
• The results of processing are accurate.
• Output is distributed only to authorized users.

Security software is installed to control access to information system resources.

The primary purpose of a generalized computer audit program is to allow the auditor to
independently process client electronic data processing records.

The easy-to-use and flexibility features of generalized audit software (GAS) make it very
popular to auditors in the audit of information technology (IT) environments.
• They can be used for audits of clients that use differing IT equipment and file formats.
They each have their own characteristics, which the auditor must carefully consider before
using in a given audit situation. Its primary advantage is to utilize the speed and accuracy
of the computer.
• The most important function of generalized audit software is the capability to access
information stored in computer files.
• This is usually used by companies that use information technology (IT) extensively to
extract evidence from client databases.
• This audit software is designed to perform common audit tasks or standardized data
processing functions, such as the following:
o reading data files
o selecting and analyzing information
o performing analytical procedures
o summarizing and totaling files
o performing, verifying or testing the accuracy of calculations
 o creating and accessing data files
o providing totals of unusual items
o reporting in an auditor-specified format
• A limitation of GAS is that it can only be used on hardware with compatible operating
systems.

Computer Assisted Audit Techniques (CAAT)

The following tasks can be performed by an auditor using CAAT:
• Identifying missing check numbers
• Matching identical product information in separate data files.
• Aging accounts receivable.
Online, Real-Time Processing System
Some of the features include:
• User manuals that provide explanations on the proper use of the system.
• Users usually interact with the mainframe through preformatted screens of remote
terminals.
• Automatic error correction is a principal advantage of real-time systems-that is, errors are
immediately detected and corrected.

Program testing
Integrated test facility is used in processing simulated file data provides the auditor with
information about the reliability of controls from evidence that exists in simulated files.
• An example is when an auditor creates a dummy division of the organization and sends
tests transactions through the system along with valid transactions.
Test Data processed with the client’s computer and the results are compared with the auditor’s
predetermined results.
• An auditor will use the IT test data method in order to gain certain assurances with respect
to the procedures contained within the program.
• A variant of test data approach is the Base Case System Evaluation (BCSE) which must
consist of all possible transaction types, valid and invalid conditions.
• An auditor is when an auditor creates a dummy division of the organization and sends
tests transactions through the system along with valid transactions.
Parallel simulation- utilizes software prepared by the auditors and applied to the client’s data

A "cold site" is a backup facility that has all the needed computer resources in place except the
computer equipment.
This backup arrangement is too vendor-dependent because it relies on the vendor's timely
delivery of the needed computer equipment.
A “hot site" backup facility has all the needed resources in place, including the computer
equipment, and is therefore not vendor-dependent.

An uninterruptible power source such as a generator or battery backup used in a computer facility
will reduce the likelihood of losing data stored in the computer's main memory in the event of an
electrical failure such as a power outage or voltage fluctuation.
Audit approaches
1. Auditing around the computer- the auditor ignores or bypasses the computer processing
function of an entity’s EDP system. It focuses solely upon source documents and IT output.
2. Auditing with the computer- the computer is used as an audit tool.
3. Auditing through the computer- the auditor enters the client’s system and directly examines the
computer and its application software.
• White box approach- auditing through the computer for complex systems

Microcomputer
• The two requirements crucial to achieving audit efficiency and effectiveness with a
microcomputer are selecting the appropriate audit tasks for microcomputer applications
and the appropriate software to perform the selected audit tasks.
• A weakness in the internal accounting system using microcomputer is that
microcomputer operators may be able to remove hardware and software components
and modify them at home.
Distributed processing system- uses communications capabilities to make needed data and
computing capability available to end users at separate locations.

Input Controls or Edit Check

• Record Count (also called item count) is the total number of records in a batch.
• Financial Or Control Total is the total peso value of a financial field, for example, the
total sales invoice amounts.
• Hash Total is the total of a unique nonfinancial field, for example, the total of purchase
order numbers in a batch.
• Validity Checks compare actual values in a field (for example, a transaction code) against
acceptable (valid) values in the master file. It is used to detect a data input error in the
customer account number field.
• Limit Check determines if the value in the field exceeds a predetermined limit.
• Missing Data Checks are used to determine if a field contains blank spaces.
• Check Digit- a numeric value is computed to provide assurance that the original value
has not been altered in construction or transmission, for example, an algebraically
determined number of produced by the other digits of the employee number.

Electronic data interchange (EDI) environment

• It involves the electronic exchange of transactions, from one entity’s computer to another
entity's computer through an electronic communications network.
• Translation software is needed to convert transactions from the entity’s internal format to
a standard EDI format
• In all information systems-manual and computerized- preventive controls are more
important than detective controls because typically, the benefits exceed the costs. In an
EDI environment, it may be difficult to apply detective controls once a transaction enters
the computer system.
• EDI Controls
o Authentication- controls must exist over the origin, proper submission, and proper
delivery of EDI communications to ensure that the EDI messages are accurately
sent and received to and from authorized customers and suppliers.
 o Encryption- involves conversion of plain text data to cipher text data to make EDI
messages unreadable to unauthorized persons.
o VAN controls- a computer service organization that provides network, storage
and forwarding (mailbox) services for EDI messages.

Systems development
• Top-down approach- Information needs of managers for planning and control is
emphasized before the designing of any system elements in this approach of a new
system development.
• In a manual system, automation requires the controls to be more explicit in a computer-
based system because many processing points that present opportunities for human
judgment in a manual system are eliminated.