Auditing in CIS Environment
Auditing in CIS Environment
Auditing in CIS Environment
Auditing
- A systematic process of objectively obtaining and evaluating evidence regarding
assertions about economic actions and events to ascertain the degree of
correspondence between those assertions and established criteria and communicating
the results thereof.
1. systematic process
- It is structured as a dynamic activity in a logical manner.
1. Internal storage
- with the representation of information in electronic form inside the computer, the
auditor is no longer able to observe the processing of data to determine if the
proper procedures are being used.
4. Multiprogramming or multiprocessing
- with the ability of computer systems to process several applications simultaneously, files
currently being reviewed can be modified during data processing by another program.
- A major threat is the potential loss of assets from unauthorized access to programs and
files data might be lost during transmission.
- PHISHING is the attempt to acquire sensitive information such as usernames,
passwords, bank account and credit card details for malicious reasons, by masquerading
as a trustworthy entity in an electronic communication.
- since account balances are updated immediately upon entering the system, it could
mean that before the auditor had finished reading and adding the balances, some of the
balances may have already changed.
7. Multiple locations
Auditing Approaches
1. Compliance Testing
“The auditor must obtain a sufficient understanding of the entity and its environment, including
its internal control,
- to assess the risk of material misstatement of the financial statements whether due to error or
fraud, and
- to design the nature, timing, and extent of further audit procedures.”
Internal Control
- Comprises the plan of the organization and all of the methods and procedures
adopted by a business to:
- the plan of the organization and the methods and procedures to promote operational
efficiency and encourage adherence to prescribed managerial policies.
2. ACCOUNTING CONTROLS
- the plan of the organization and the methods and procedures used to safeguard assets
and to check the reliability of accounting data.
AIS Controls:
> General Controls
> Application Controls
1. GENERAL CONTROLS
- having pervasive effects
> if they are weak or absent,
- they negate the effects of the application controls.
1. Organizational controls
2. Sound personnel practices
3. Standard operating procedures
4. Systems development controls
5. Documentation controls
6. Hardware control
7. System software controls
8. Systems security controls
2. APPLICATION CONTROLS
- Relate to the specific tasks performed by the computer
2. Substantive Testing
- The auditor must obtain sufficient appropriate audit evidence by performing audit
procedures to afford a reasonable basis for an opinion regarding the financial statements
under audit.
3. Dual-purpose testing
- Both types of tests, compliance and substantive, are performed at the same time.
GENERAL CONTROLS
1. Organizational controls
2. Sound personnel practices
3. Standard operating procedures
4. Systems development controls
5. Documentation controls
6. Hardware control
7. System software controls
8. Systems security controls
I. Authorization
ii. Execution
iii. Accountability
i. Authorization
ii. Execution
- steps in the transaction processing cycles and changes to master files are to be
performed by the users; today, execution is done automatically through instructions in
the program
- examples: systems- generated financial entries, automatic reversing entries
iii Accountability
b. Operations
c. Database administration
> Independent librarian function
b) Personnel scheduling
- Irregularities may be discovered during an employee’s absence.
c) Rotation of duties
- Enable the employee to master other tasks, thus, effectiveness is
improved.
- When a task is performed by another, opportunities for improvement can
be identified.
d) Performance Evaluation
- a tool to identify strengths and areas of improvement.
- a good basis for rewards and remunerations.
f) Career Path
- a tool to formalize target positions
- helps identify training needs
- encourages loyalty and dedication
g) Rewards and Remuneration
- induces employees to perform their best
i) Psychological Control
- employees tend to display positive behavior if it goes with a reward or
punishment as the case may be
- identify procedures that ensure high quality processing and limit the opportunity for
errors, and unauthorized use of files, programs and reports.
● Scheduling
● Machine operations
● Machine performance
● Job-run procedures
● Console log and personnel time record
● Housekeeping
● File control standards
● Adequate supervision
● Emergency and physical security procedures
1. Scheduling
- the operations of the computer should follow realistic schedules to allow for
assembly and preventive maintenance
2. Machine operations
3. Machine performance
4. Job-run procedures
- these procedures generally outline the sequence of the programs to ensure that the
required processes are performed in the correct order
- example: Variance Report Preparation
> update physical standards
> input volume of production
> enter actual quantities consumed
> calculate variances
- should be prepared by the operating system to record all operating and application
system activities, maintain an equipment utilization record and identify operator and
user initiated actions.
- it provides an important control over unauthorized system use.
6. Housekeeping
- procedures relating to the use of supplies, storage of programs, and handling of files
are designed to reduce the risk of loss or destruction of programs and data.
- it ensures that sensitive output does not fall into unauthorized hands.
- standards for the handling of files are necessary to minimize opportunities for misuse,
damage or loss of files.
- standards include file names, retention dates, reconstruction procedures and storage
location.
- the files are controlled by a librarian.
8. Adequate supervision
- control and review of operating activities which include periodic examination and
comparison of console logs, job records and personnel time records.
- plans and procedures to protect programs, files and equipment from fire, theft, natural
disasters, power failure, or failure of communications.
- emergency and physical security procedures should be written and included in the
systems and procedures manual.
-The best time to build-in the application controls is during the development of a system.
- it would be easier compared with doing the program revisions later in order to incorporate the
control.
a. SDLC
- planning, analysis, design, development and implementation
- building-in of required application control
- users’ training and users’ procedures manual
c. Documentation
- provides control over the prevention, detection and correction of errors.
2. Project management
-The systems development methodology will be of little value if development projects are not
adequately managed.
Conventions
- refer to the agreed standards, for example, in the use of symbols, charts, texts,
graphs or writing of manuals.
- also pertain to the uniform procedures followed in order to ensure the same
accurate results every time a job is performed.
● Flowcharting conventions
● Decision table conventions
● Coding conventions
● Standard glossary and standard abbreviations
● Standard program routines
● Standard job control procedures
● Debugging
● Auditing conventions
Coding conventions
2. Data code
- provides the interface between the application program and the operating system.
Debugging
- standard technique for debugging increases the chance that errors will be found and
provide a trail of program changes, thereby, reducing the opportunity for unauthorized
program change.
Auditing conventions
the programming standards manual should include a list of required controls and audit
features.
Technical level
- work outputs for each phase should be reviewed and approved by the systems
and programming supervisors before submission to users, auditors and management
for approval.
Output level
- requires that users, auditors and management review and approve the work
output at the end of each phase Technical, Management, User, and Auditor Review and
Approval
6. System Testing
- Purpose:
> to ensure that the system will operate in conformance with the design
specifications.
> to determine whether the system’s operations meet user requirements.
> to test all application controls if they will work as intended.
> to verify that errors in input, processing and output will be detected.
● Program tests
- testing of the processing logic of the programs.
● String tests
- instead of a single program, they are applied to a string of logically
related programs.
● System tests
- applied to all programs in the systems to check if they will function if they
run at the same time.
7. Final Approval
- Provides an opportunity to examine the final test results to make a final judgment.
-Final approval should be given by management, users and IT or EDP personnel before
the system is implemented.
- controls to prevent and detect errors when converting and migrating files
to the new system.
● Data conversion
● Data Migration
Control procedures:
> approval indicates their satisfaction with the way the system is
operating.
9. Post-implementation Review
Conducted to:
> evaluate the effectiveness of the entire process of developing the system.
“the feedback from this review is useful to the external auditor as it
indicates that controls are either functioning as desired or not.”
10. Program Change Control
- Program changes result from a desire to improve the system, the need to adjust
to changing business conditions or the need to incorporate new operating,
accounting and control policies. These changes are referred to as program
maintenance.
-The objective of program change control is to ensure that all program change requests
are approved and authorized and that all approved and authorized program change
requests are completed.
Controls:
3. the changes should be reviewed and approved by the user to ensure conformity with
the purpose of the change.
4. changes should be made to the test program and not the production program to limit
the opportunities to make unauthorized changes to the production program.
10. conversion should not be permitted before approval of the test results and
completion of changes to documentations.
11. final approval should be given by data processing management and the user.
● Documentation
-which describe the system and procedures for performing a data
processing task.
- a means of communicating both the essential elements of a system and
the logic followed by the computer programs.
- an integral part of the systems design and the documentation process.
1. Provides a source of information for systems analyst and programmers who are
responsible for maintaining and changing existing systems and programs.
Inclusions:
1. Description of the reasons for implementing the system
including the objectives and scope of the project.
2. System specifications describing the operations
performed by the system.
3. Evidence of approval and any subsequent changes in
systems specifications.
2. Systems Documentation ( SIOF CC)
Inclusions:
1. Systems flowchart
2. Input descriptions
- identify the type of source documents used.
- for example, this may be a description of the Time Keeping
System as a source of time data in a payroll or labor
distribution system.
3. Output descriptions
- show each type of output generated by the system.
- defines where the output is stored, what files are updated,
the medium of providing the users (screen displays or
printed copies), the use of the output, who uses it, when it is
used and the frequency of need.
4. File description
- lists individual files and describes the scope and functions
of each file.
- for example, a customer master file may be described as
containing customer data, i.e., customer name, delivery
address, billing address, contact number, credit limit,
payment terms etc.
5. Control descriptions
- summarize the main control features that are designed into
the system, e.g., general controls and application program
controls.
6. Change summary
- list of all changes that have been made and their effective
dates along with copies of authorizations of these changes.
3. Program Documentation ( BP LAD CP)
Inclusions:
1. Brief narrative description of the functions of the program.
2. Program flowcharts, or detailed logical narrative showing
how the program operates, e.g., whether all account
balances should be printed or just those with abnormal
balances.
3. Listing of parameters used in the program such as tax
withholding tables.
4. A list of application controls such as data entry validation
and output controls.
5. Detailed description of file formats and record layouts;
typical information includes the names of all fields within a
record, field location, field sizes and field data character
type.
Inclusions:
1. A brief narrative that indicates the purpose of the
program.
2. An input/output chart that lists all the inputs and outputs
required for processing the program and the sequence in
which they are to be used.
3. A description of input/output forms and formats, including
an output distribution list, provided for the operators’
guidance.
4. A list of set-up instructions and operating systems
requirements.
5. A list of all program error messages and halts with the
description of the action to be taken in response to each
error message and halt condition.
6. Detailed instructions regarding recovery and restart
procedures to be used in the event of hardware or software
malfunction.
7. A list of estimated normal and maximum runtime.
8.A list of instructions to the operator in case of emergency.
- A step by step guide that the users can refer to as they use
the system.
- Useful in training new or replacement personnel.
- Valuable for the auditor in understanding the user’s role in
the processing of data and evaluating the Inclusions
Inclusions:
1. A nontechnical description of the system including the
benefits the user may derive from it.
2. A description of the types of source documents required,
such as purchase orders.
3. A description of the form and purpose of each output
received by the users degree of control provided by the
user.
- a bit, two bits or a set of bits for the purpose of detecting errors.
- data are stored in binary codes:
sequence of zeros and ones (bits)
- the single parity bit is the creation of an additional bit for each character
processed.
- the computer counts the number of 1 bits in each character to determine if the
count is odd or even.
- in an odd parity bit check, the computer will add a parity bit of 0 if the count is
odd, and a 1 if the count is even.
4. Equipment Check
- controls built in into the circuitry of the computer to ensure that the equipment is
functioning properly and, where necessary, automatic error correction.
- these automatic error correction are either:
-> operation validity: ensures that only valid instructions are performed.
- > character or field validity check: compares data characters or files that are
written or read with a set of all valid characters or fields.
- > address validity: check of storage location in memory or in a peripheral
device.
6. Power Protection
- protects the hardware from power fluctuations (spikes or surges)
- enable the computer to continue operations in case of power interruptions
(UPS)
● Systems software
a. Boundary protection
> assignment of memory partitions to programs in a
multiprogramming environment
a. Segregation of duties
- Assignment of responsibilities for systems software, application
software, library and operations should be separated.
b. Hardwiring
- encode the software logic in hardware; modification can only be
done by the removal and replacement of the Hardware.
8. Systems Security Controls
Environmental hazards
- include fires, floods, tornadoes, earthquakes and other acts of God. Generally
occur infrequently but with a high cost of occurrence.
Errors
- include damage to disk storage by faulty disk drives , mistakes in application
programs that destroy or damage data, and operator mounting of incorrect files.
Generally frequent but at low cost per incident.
Computer abuse
- the violation of a computer system to perform malicious damage, crime or
invasion of privacy.
- are general controls that prevent failures in systems security and provide for recovery
from failures in system security; they are generally categorized as:
a. Security Management
i. Establish security objectives
ii. Evaluate security risks
iii. Develop a security plan
iv. Assign responsibilities
v. Test system security
vi. Evaluate system security
c. Library Controls
- Terminal identification
- User identification (passwords)
- Physiological key
> handprints, thumbprints
- Special key
> magnetic stripe cards
> optically encoded badge
c. Authentication ( FDA)