AUDIT IN CIS

2. Review General Controls and

IT Audit
application controls (Application System
- an audit associated with auditors who use
Control)
technical skills and knowledge to audit through
ex. System built-in controls (general and
the computer system, or provide audit services
application control)
where processes or data, or both, are
3. Plan Test of Controls and Substantive
embedded in technologies. It focuses on the
Testing - discuss the preliminary
computer-based aspects of an organization's
assessment of control risk
information system.
Development of Audit plan and audit
program tools:
Characteristics:
a. IT Audit are risk-based 1. Assessments of materiality
b. Scope of IT audit depending upon the 2. Acceptable audit risk
depth of the systems. 3. inherent risk assessment
c. IT audits are characterized by the use of 4. control risk assessment
CAATs (Computer-Assisted Audit Tools)
or CAATTs (Computer-Assisted Audit Test of Controls Phase
Tools and Techniques)
Test of Control (TOC) - in this phase the
IT Audit steps: (ATSI) auditor focuses his attention on both
1. Audit Planning the design and controls were
2. Test of Controls functioning as intended.
3. Substantive Testing
4. Issuance of Audit Report Steps:
a. Perform TOC
b. Evaluate Test Results
Audit Planning c. Determine Degree of reliance on
controls
Steps:

a. conducting preliminary arrangements Performing TOC in IT Environment

with the client. All arrangements must procedures:
be included in engagement
b. Once the engagement letter has been 1. Test of Control (TOC) itself
signed, the planning process starts a. TOC are performed to
determine whether a control is
working
Audit Planning includes:
b. TOC procedures (IIOR)
1. Review and understanding of
a. Inquiries of client personnel
organization's policies, procedures and
b. Inspection of documents
structure (Management Control)
and records.
c. Observation of the
ex. Monitoring duties, information flow,
application of specific
user level and segregation of duties
policies and procedures.
 d. Reperformance of the - The auditors are not required to
application of specific perform any TOC and go straight to ST
policies and procedures. (substantive Test), to reduce the
assessed level of CR below the
Note: all MUST be maximum level.
documented especially if
the TOC is assessed below
the maximum level. Substantive Testing Phase

Substantive test (ST) - in this phase, the

auditor conduct test of balances or overall
c. TOC result = Control Risk (CR)
results to obtain sufficient relevant evidence
assessment
for making a final judgment on the extent of
d. TOC performance on:
losses or account misstatements that occur
a. Revenue and collection
when the information systems function fails
cycle
to safeguard assets, maintain data integrity,
b. Expenditure cycle
and achieve system effectiveness and
c. Financing and investing
efficiency.
cycle
2. Test of Transactions (TOT) Steps:
–to evaluate whether transactions
or events have been handled a. Perform ST
effectively and efficiently. b. Evaluate results and prepare audit
reports
a. Effectiveness of system - if all
the information ST Features:
contained/captured in database 1. Most expensive phase of the audit,
can be generated and useful therefore the auditor should design
b. Efficiency of the system - if the and execute ST carefully. (Cost and
system has redundancy in Benefit Theory)
inputting data 2. In ST, the auditor aims to
substantiate management's
CR Evaluation and Degree of Reliance on assertion relative to: (PERCV)
Control
a. Presentation and disclosure of
1. CR Preliminary assessment = below
the items in the FS
maximum level
If the statement items are
- The auditor should decide to perform
properly identified, classified,
TOC to establish the effectiveness of
and arranged in the statements
controls in preventing or detecting
and whether accompanying
material misstatements (MM) in FS
disclosures are adequate.
assertion.

b. Existence or occurrence
2. CR Preliminary assessment = maximum
whether specific assets and
level
liabilities at a given point in
 time existing and occurred or that the FS are misstated but that
during the recorded year. amounts are not material
d. Unqualified opinion - The auditor
c. Rights and obligations believes that no material losses or
Client has rights to existing account misstatements
assets and the claims from
Audit Risk
Liabilities and Equity are valid
Refers to the possibility that the auditors fail to
d. Completeness appropriately modify their opinion on FS that
whether all transactions that are materially misstated. For each FS account,
should have been recorded by audit risk consists of the possibility that:
the client are accurately
included in the accounts. a. a material misstatement in an assertion
about the account has occurred, and
e. Valuation b. the auditors do not detect the
whether FS elements are stated misstatement
at the proper amount in Type of Audit Risk
accordance with GAAP
1. Inherent Risk - the susceptibility of FS
3. Nature, Timing and Extent (NTE) of assertion to a material misstatement,
ST depend upon the auditor's assuming there are no related internal
assessed level of control risk and controls.
the resulting detection risk 2. Control Risk - the risk that a material
misstatement could occur in a FS
a. CR at minimum level = higher assertion and not be prevented or
acceptable detection risk, detected by the client's internal controls
therefore less extensive ST 3. Detection Risk - the risk that the auditor
procedures (ST) will not detect a MM
b. CR at maximum level = lower that exists in a FS assertion
acceptable detection risk,
therefore more extensive ST
Tools to manage or control audit risk
Issuance of Audit Report (Helpful in determining the NTE of audit
procedures)
Opinions

a. Disclaimer of opinion - the auditor Desired Audit Risk (DAR) = Inherent Risk (IR) x
is unable to reach an opinion Control Risk (CR) x Detection Risk (DR)
b. Adverse opinion - the auditor
concludes that material losses have
occurred or that the financial Since Audit Risk is a risk that the auditor gives
statements are materially misstated an inappropriate audit opinion on the F/S
c. Qualified opinion - The auditor Therefore, For Example: We can assess that:
concludes that losses have occurred
 Audit Risk = 5%, Assurance level = 95% a. Lower DR level = increase the assurance
Note: As the desired level of audit risk to be provided by the ST
decreases, the auditor should design more 1. Perform more effective ST (nature)
effective substantive procedures. 2. Perform year-end procedures
(timing)
3. Using larger sample size (extent)

b. High DR Level = decrease the assurance

to be provided by the ST
1. Perform less effective substantive
procedures (nature)
2. Perform the tests at interim (timing)
3. using smaller sample size (extent)

Test of Controls in CIS Environment

1. Testing the reliability of general controls

a. Observing clients' personnel in
performing their duties
b. inspecting program documentation
c. observing the security measures in
force
Other Notes:

1. Unlike the Inherent and Control Risk, 2. Testing the Application controls, may
Detection Risk can be increased or either:
decreased by the auditor. Detection Risk
can be looked at as the component of a. Audit around the computer
ST Focusing solely on the input
documents and the CIS output. It
10% DR = ST should be 90% assurance can only be used if there is visible
of detecting MM input documents and detailed
output that will enable the auditor
2. Only the detection risk can be to trace individual transaction back
controlled by the auditor. The auditor and forth. This is also known as
can only ASSESS the IR & CR. "black box approach"
In order to control, perform
corresponding ST. therefore we can Can be used when: the auditor has
further derive the equation as ff: high reliance on the system

Detection Risk = AR / (IR x CR) b. Auditing through the Computer

Require extensive competence on
the part of the auditor, since, this
After determining the DAR, design Substantive involved auditing the processing
Tests (ST) logic and controls existing in the
 system and the records produced by After assessing the IR and CR, the auditor
the system. performs ST to reduce the level of DR to an
Can be used when the inherent risk acceptable level
associated with the application
ST - are audit procedures designed to
system is high.
substantiate the account balances or designed
Tools in auditing through the computer - Use to detect MM in the F/S
Computer-Assisted Audit Technique (CAAT)

Performs task for which NO visible

Information obtained in audit planning and
evidence is available, the auditor will
consideration of IC, the auditor performs
have to audit directly the client's CAATs.
substantive test (ST) to determine the F/S are
This is also called "white box approach"
presented fairly in accordance with standards

Commonly used CAAT's

 If TOC result IC is good - less ST
1. Test Data - auditor prepares test data  If TOC result IC cannot be relied on -
(fictitious transactions) that consist of more extensive ST
valid and invalid and process it to the
computer then compare it to the
Types of ST
expected output.
1. Analytical Procedures
2. Integrated Test Facility (ITF) - integrates Use in Planning, Testing and Overall
the processing of test data with the review stages of the audit. Use to obtain
actual processing of ordinary corroborative evidence about a
transactions w/o mgt being aware of particular assertion. Involves
the testing process. But be sure not to comparison of financial information
contaminated the client's computer with auditor's expectations to evaluate
files. the reasonableness of an account
balance or transaction class.
3. Parallel Simulation - the auditor
requires to write a program that
simulates key features or process of the The auditor should focus on those
program under review. Uses accounts that are PREDICTABLE.
Generalized audit software.
a. I/S accounts are more
CAAT's for advanced Computer Systems predictable compared to B/S
accounts
1. Snapshot b. Accounts that are not subject to
2. Systems controls audit review files mgt discretion are generally
(SCARF) predictable
c. Relationship in a stable
Substantive Tests (Other Notes)
environment are more
predictable than those in a
 dynamic or unstable Relate to the overall computer
environment. information system

Examples:
2. Test of Details a. Organizational Control
a. Segregation between the CIS
Involves examining the actual details department and user
making up the various account balances department
b. Segregation of duties within
a. Test of details of balances - the CIS dept
examining directly the account
balance. Used when account
balances are affected by large
volume of relatively immaterial
transactions.
b. Systems Development and
Ex. Cash, A/R and Inventory
documentation Controls

c. Access Controls
b. Test of details of transactions -
Every computer system should have
testing the transactions that give
adequate security controls to protect
rise to the balance of an account
equipment, files and programs. Access
Used when account balances are
to the computer should be limited only
smaller volume representing
to operators and other authorized
material amounts
employees. Appropriate controls such
Ex. PPE, Intangibles, Bonds payable, and as the use of passwords must be
SHE accounts adopted

d. Data recovery control

Factors affecting ST Maintenance of back-up files and off-

site storage
1. Nature - quality of evidence, but high
quality also involves high cost Grandfather, parent, son practice -
2. Timing - perform either interim or at requires an entity to keep two most
year end. As the risk of MM increases, recent generation of master files and
ST performs nearer transaction files in order to permit
3. Extent - amount of evidence needed to reconstruction of master files if needed.
satisfy a particular object. Risk
e. Monitoring Controls
increases, Extent of ST
designed to ensure that CIS controls are
working effectively as planned
Internal Control in CIS Environment

1. General Control
2. Application Controls
 input data are processed accurately, and
Those policies and procedures that that the data are not lost, added,
relate to specific use of the system. excluded duplicated or change
These are designed to provide
reasonable assurance that all 3. Controls over output
transactions are authorized, and that to provide reasonable assurance that
they are processed completely, the results of processing are complete,
accurately and on a timely basis. accurate and that this output are
distributed only to authorized personnel
Stages of processing of transaction
Note: It more be efficient to review the
1. Input - capturing of mass of data design of the GENERAL controls first
2. Processing - converting the mass of before reviewing the APPLICATION
raw data into useful information Controls
3. Output stage - preparation of
information in a form useful to
Other Topics for CIS
those who wish to use it
Skills and competence - the auditor should have
sufficient knowledge of CIS to plan, direct,
Example of Application Controls (most used):
supervise and review the worked performed.
1. Control over input The auditor should consider whether specialized
a. Key verification - data are entered CIS skills are needed in the audit, (staff or
twice outside party) this needed to obtain:
b. Field check - restriction in entry, 10-
a. sufficient understanding of the
digit, numeric only, etc
accounting and IC systems affected by
c. Validity Check - input compared to
the CIS Environment
valid information
b. determine the effect of the CIS
d. Self-checking digit - mathematically
environment on the assessment of
calculated digit
overall risk and of risk at the account
e. Limit Check - check not to exceed
balance and class of transactions level,
pre-determined limit
and
f. Control totals - to ensure the
c. design and perform appropriate TOC
completeness of data through total
and substantive Test appropriate to
computation
meet the audit objective
d. if the use of other professional is
Includes:
needed and planned, the auditor should
1. Financial Total - computing the
obtain sufficient evidence that such
amount total
work is adequate of the audit, in
2. Hash Total - computing the Ref.
accordance with "using the work of an
no. total
expert"
3. Record Count - computing the
no. of entries Planning

2. Control over processing

a. Obtain understanding of the accounting 1. CIS Director – exercise control over CIS
and internal control systems sufficient Operation
to plan the audit 2. System Analyst – Designs new system,
b. Obtain understanding of the evaluates and improve existing systems,
significance and complexity of the CIS and prepares specification for
activities and the availability of data for programmers
use in the audit 3. Programmers – writes program
c. understanding of the organizational 4. Computer Operator – operates the
structure of the client's CIS activities computer to process transaction.
d. Availability of data source - 5. Data Entry Operator – Prepares and
understanding the potential of Clients verifies input data for processing
CIS to use as CAAT (computer- assisted 6. Librarian – Maintains custody of
audit techniques) to increase efficiency systems documentation, programs and
in the performance of the audit files.
procedures 7. Control Group – Review all input
e. when the CIS is significant, the auditors procedures, monitor computer
should also obtain an understanding of processing.
the CIS environment and whether it
may influence the assessment of the
inherent and control risks

Characteristics of CIS (SALOSAGCOL)

1. Lack of visible trail (due to direct input,

hard to find evidence)
2. Consistency of performance (if ano ang
ginagawa niya before, consistent yon)
3. Ease of Access to data and computer
programs (Unauthorized person may
access)
4. Concentration of duties (there are
duties na normally segregated pero
combined kay cis)
5. System generated transaction (Interest)
6. Vulnerability of data and program
storage (the content can be easily
changed without the trace of the
original content)

Duties (SALOSAGCOL)