AUDITING THEORY

CPA Review AUDITING IN A CIS (IT) ENVIRONMENT

1. A CIS environment exists when a computer of any type or size is involved in the processing by the entity of
financial Information of significance to the audit, whether the computer is operated by the entity or by a third
party.

2. The overall objective and scope of an audit does not change in a CIS environment.

3. A CIS environment may affect:

a) The procedures followed in obtaining a sufficient understanding of the accounting and internal control
systems.
b) The consideration of the inherent and control risk.
c) The design and performance of tests of controls and substantive procedures.

4. The auditor should have sufficient knowledge of the computer environment system to plan, direct, and review
the work performed.

5. If specialized skills are needed, the auditor would seek the assistance of a professional possessing such skills,
who may be either on the auditor's staff or an outside professional.

6. In planning the portions of the audit which may be affected by the client's CIS environment, the auditor should
obtain an understanding of the significance and complexity of the CIS activities and the availability of data for use
in the audit.

7. When the CIS are significant, the auditor should also obtain an understanding of the CIS environment and
whether it may influence the assessment of inherent and control risks.

8. The auditor should consider the CIS environment in designing audit procedures to reduce audit risk to an
acceptably low level. The auditor can use either manual audit procedures, computer-assisted audit techniques, or
a combination of both to obtain sufficient evidential matter.

RISK ASSESSMENTS AND INTERNAL CONTROL: CIS CHARACTERISTICS AND CONSIDERATIONS

Organizational Structure

Characteristics of a CIS organizational structure includes:

a. Concentration of functions and knowledge

Although most systems employing CIS methods will include certain manual operations, generally the number of
persons involved in the processing of financial information is significantly reduced.

b. Concentration of programs and data

Transaction and master file data are often concentrated, usually in machine-readable form, either in one computer
installation located centrally or in a number of installations distributed throughout the entity. Nature of Processing
The use of computers may result in the design of systems that provide less visible evidence than those using
manual procedures. In addition, these systems may be accessible by a larger number of persons.
System characteristics that may result from the nature of CS processing include:

a. Absence of input documents

 Data may be entered directly into the computer system without supporting document.
 In some on-line transaction systems, written evidence of individual data entry authorization (e.g.,
approval for order entry) may be replaced by other procedures, such as authorization controls contained
in computer programs (e.9., credit limit approval).

b. Lack of visible audit trail

The transaction trail may be partly in machine-readable form and may exist only for a limited period of time (eo,
audit logs may be set to overwrite themselves after a period of time or when the allocated disk space is
consumed).

c. Lack of visible output

Certain transactions or results of processing may not be printed, or only summary data may be printed.

d. Ease of access to data and computer programs

Data and computer programs may be accessed and altered at the computer or through the use of computer
equipment at remote locations. Therefore, in the absence of appropriate controls, there is an increased potential
for unauthorized access to, and alteration of data and programs by persons inside or outside the entity.

Design and Procedural Aspects

The development of CIS will generally result in design and procedural characteristics that are different from those
found in manual systems. These different design and procedural aspects of CIS include:

a. Consistency of performance
CIS perform functions exactly as programmed and are potentially more reliable than manual systems,
provided that all transaction types and conditions that could occur are anticipated and incorporated into
the system. On the other hand, a computer program that is not correctly programmed and tested may
consistently process transactions or other data erroneously.
b. Programmed control procedures
The nature of computer processing allows the design of internal control procedures in computer
programs.
c. Single transaction update of multiple or data base computer files
A single input to the accounting system may automatically update all records associated with the
transaction.
d. Systems generated transactions document
Certain transactions may be initiated by the CIS itself without the need for an input
e. Vulnerability of data and program storage media
Large volumes of data and the computer programs used to process such data may be stored on portable
or fixed storage media, such as magnetic disks and tapes. These media are vulnerable to theft, loss, or
intentional or accidental destruction.

INTERNAL CONTROLS IN A CIS ENVIRONMENT

GENERAL CIS CONTROLS - to establish a framework of overall control over the CIS activities and to provide a
reasonable level of assurance that the overall objectives of internal control are achieved.
 General CIS controls may include:

a. Organization and management controls - designed to define the strategic direction and establish an
organizational framework over as activities, including:
 Strategic information technology plan
 CIS policies and procedures
 Segregation of incompatible functions
 Monitoring of CIS activities performed by third party consultants
b. Development and maintenance controls - designed to provide reasonable assurance that systems are
developed or acquired, implemented and maintained in an authorized and efficient manner. They also
typically are designed to establish control over:
 Project initiation, requirements definition, systems design, testing, data conversion, go-live decision,
migration to production environment, documentation of new or revised systems, and user training.
 Acquisition and implementation of off-the-shelf packages.
 Request for changes to the existing systems.
 Acquisition, implementation, and maintenance of system software.
c. Delivery and support controls - designed to control the delivery of CIS services and include:
 Establishment of service level agreements against which CIS services are measured.
 Performance and capacity management controls.
 Event and problem management controls.
 Disaster recovery/contingency planning, training, and file backup.
 Computer operations controls.
 Systems security.
 Physical and environment controls.
d. Monitoring controls - designed to ensure that CIS controls are working effectively as planned. These
include:
 Monitoring of key CIS performance Indicators.
 Internal/external CIS audits.

CIS APPLICATION CONTROLS - to establish specific control procedures over the application systems in order to
provide reasonable assurance that all transactions are authorized, recorded, and are processed completely,
accurately and on a timely basis. CIS application controls include:

a. Controls over input-designed to provide reasonable assurance that:

 Transactions are properly authorized before being processed by the computer.
 Transactions are accurately converted into machine readable form and recorded in the computer
data files.
 Transactions are not lost, added, duplicated or improperly changed.
 Incorrect transactions are rejected, corrected and, if necessary, resubmitted on 8 timely basis.
b. Controls over processing and computer data files-designed to provide reasonable assurance that:
 Transactions, including System generated transactions, are properly processed by the computer.
 Transactions are not lost, added duplicated or improperly changed.
 Processing errors (i.e., rejected data and incorrect transactions) are identified and corrected on a
timely basis.
c. Controls over output-designed to provide reasonable assurance that:
 Results of processing are accurate,
 Access to output is restricted to authorized personnel.
 Output is provided to appropria te authorized personnel on a timely basis.
Review of general CIS controls

General CIS controls that relate to some or all applications are typically interdependent controls in that their
operation is often essential to the effectiveness of CIS application controls. Accordingly, it may be more efficient to
review the design of the general controls before reviewing the application controls.

Review of CIS application controls

CIS application controls which the auditor may wish to test include:
a. Manual controls exercised by the user
b. Controls over system output
c. Programmed control procedures

CIS ENVIRONMENTS - STAND-ALONE PERSONAL COMPUTERS

1. A personal computer (PC) can be used in various configurations. These indude:

a. a stand-alone workstation operated by a single user or a number of users at different times;
b. a workstation which is a part of a Local Area Network (LAN) of PCs, and
c. a workstation connected to a server.

2. In a stand-alone PC environment, it may not be practicable or cost-effective for management to implement

sufficient controls to reduce the risks of undetected error to a minimum level.

3. After obtaining the understanding of the accounting system and control environment, the auditor may find it
more cost-effective not to make a further review of general controls or application controls, but to concentrate
audit efforts on substantive procedures.

CIS ENVIRONMENTS - ON-LINE COMPUTER SYSTEMS

1. On-line computer systems are computer systems that enable users to access data and programs directly through
terminal devices.

2. On-line systems allow users to directly initiate various functions such as:
a. entering transactions
b. making inquiries
c. requesting reports
d. updating master files
e. electronic commerce activities

3. Types of terminals used in on-line systems:

A. General purpose terminals

1. Basic keyboard and screen 3. PCs
2. Intelligent terminal
3. PCs

B. Special purpose terminals

1. Point-of-sale devices
2. Automated Teller Machines (ATM)

4. Types of on-line computer systems:

 a. On-line/Real Time Processing
Individual transactions are entered at terminal devices, validated, and used to update related computer
files immediately.

b. On-line/Batch Processing
Individual transactions are entered at a terminal device, subjected to certain validation checks, and added
to a transaction file that contains other transactions entered during the period. Later, during a
subsequent processing cycle, the transaction file may be validated further and then used to undate
relevant master file.

c. On-line/Memo Update (and subsequent Processing)

o Combines on-line/real-time and on-line/batch processing.
o Individual transactions immediately update a memo file containing Information that - has been
extracted from the most recent version of the master file. Inquiries are made from this memo
file.
o These same transactions are added to a transaction file for subsequent validation and updating
of the master file on a batch basis.

d. On-line/Inquiry
o Restricts users at terminal devices to making inquiries of master file.
o Master files are updated by other systems, usually on a batch basis.

e. On-line Downloading/Uploading Processing

o On-line downloading refers to the transfer of data from a master file to an intelligent terminal
device for further processing by a user.

NETWORK ENVIRONMENT

1. A network environment is a communication system that enables computer users to share computer
equipment, application software, data, and voice and video transmissions.

2. A file server is a computer with an operating system that allows multiple users in a network to access
software applications and data files.

3. Basic types of networks

a. Local Area Network (LAN)

b. Wide Area Network (WAN)
c. Metropolitan Area Network (MAN)

CIS ENVIRONMENTS - DATABASE SYSTEMS

1. Database - A collection of data that is shared and used by many different users for different purposes.

2. Two components of database systems:

a. Database operates the database.
b. Database Management System (DBMS) - software that creates, maintains, and

3. Characteristics of database systems

a. Data sharing
b. Data independence
ELECTRONIC DATA INTERCHANGE (EDI) - the electronic exchange of transactions, from one entity's computer to
another entity's computer through an electronic communications network. In Electronic Fund Transfer (EFT)
Systems, for example, electronic transactions replace checks as a means of payment.

Page 5 of 12 Pages

EDI controls include:

a. Authentication - controls must exist over the origin, proper submission, and proper delivery of EDI
communications to ensure that the EDI messages are accurately sent and received to and from authorized
customers and suppliers.
b. Encryption - involves conversion of plain text data to cipher text data to make EDI messages unreadable to
unauthorized persons
c. VAN controls - A value added network (VAN) is a computer service organization that provides network,
storage, and forwarding (mailbox) services for EDI messages.

AUDIT APPROACHES
1. Auditing around the computer - the auditor ignores or bypasses the computer processing function of an
entity's EDP system.
2. Auditing with the computer - the computer is used as an audit tool.
3. Auditing through the computer - the auditor enters the client's system and examines directly the
computer and its system and application software.

COMPUTER ASSISTED AUDIT TECHNIQUES FOR TESTS OF CONTROLS

I. Program analysis - techniques that allow the auditor to gain an understanding of the client's program.
1. Code review-involves actual analysis of the logic of the program's processing routines.
2. Comparison programs - programs that allow the auditor to compare computerized files.
3. Flowcharting software - used to produce a flowchart of a program's logic and may be used both in
mainframe and microcomputer environments.
4. Program tracing and mapping - Program tracing is a technique in which instruction executed is listed
along with control information affecting that instruction. Program mapping identifies sections of code
which may be a potential source of abuse.
5. Snapshot – This technique "takes a picture of the status of program execution, intermediate results, or
transaction data at specified processing points in the program processing.

II. Program testing - involves the use of auditor-controlled actual or simulated data.

1. Historical audit techniques - test the audit computer controls at a point in time.

a. TEST DATA
A set of dummy transactions specifically designed to test the control activities that management claims to
have incorporated into the processing programs. Shifts control over processing to the auditor by using the
client's software to process auditor-prepared test data that includes both valid and invalid conditions. If
embedded controls are functioning properly, the client's software should detect all the exceptions
planted in the auditor's test data. Ineffective if the client does not use the software tested, .

b. BASE CASE SYSTEM EVALUATION (BCSE)

 Develops test data that purports to test every possible condition that an auditor expects a client's
software will confront
 Provides an auditor with much more assurance than test data alone, but expensive to develop and
therefore cost-effective only in large computer systems.
 c. INTEGRATED TEST FACILITY (ITF)
 A variation of test data whereby simulated data and actual data are run simultaneously with the
client's program and computer results are compared with auditor's predetermined results.
 It provides assurance that the software tested is actually used to prepare financial reports

d. PARALLEL SIMULATION
 It involves processing of client's live (actual) data utilizing an auditor's generalized audit software.
 If an entity's controls have been operating effectively, the client's software should generate the same
exceptions as the auditor's software.
 It should be performed on a surprise basis, if possible.

e. CONTROLLED REPROCESSING
 A variation of parallel simulation, it involves processing of actual client data through a copy of the
client's application program.

2. Continuous audit techniques - test the audit computer controls throughout a period.

a. AUDIT MODULES - programmed audit routines incorporated into an application program that are
designed to perform an audit function such as a calculation, or logging activity.
b. SYSTEMS CONTROL AUDIT REVIEW FILES (SCARFS) - logs that collect transaction information for
subsequent review and analysis by the auditor
c. AUDIT HOOKS - "exits in an entity's computer program that allows an auditor to insert commands for
audit processing.
d. TRANSACTION TAGGING - a transaction record is "tagged" and then traced through critical control
points in the information system.
e. EXTENDED RECORDS - this technique attaches additional audit data which would not otherwise be
saved to regular historic records and thereby helps to provide a more complete audit trail.

III. Review of operating system and other systems software

1. JOB ACCOUNTING DATA/OPERATING SYTEMS LOGS - these logs that track particular functions, include
reports of the resources used by the computer system. The auditor may be able to use them to review the
work processed, to determine whether unauthorized applications were processed and to determine that
authorized applications were processed properly.

2. LIBRARY MANAGEMENT SOFTWARE - this logs changes in programs, program modules, job control
language, and other processing activities.

3. ACCESS CONTROL AND SECURITY SOFTWARE - this restricts access to computers to authorized personnel
through techniques such as only allowing certain users with "read- only access or through use of
encryption.

COMPUTERIZED AUDIT TOOLS

1. Audit software - computer programs used to process data of audit significance from the client's accounting
system.

a. Package programs (also called generalized audit software) - programs that can be used in numerous clients. They
can be designed to perform different audit tasks such as:
1. reading computer files
2. selecting samples
3. performing calculations
4. creating data files
5. Printing reports in an auditor-specified format

b. Purpose-written programs (also called special-purpose or custom-designed programs) computer programs

designed for specific audit tasks.

c. Utility programs - part of the systems software that perform routine CIS tasks. They are generally NOT designed
for audit purposes.

2. Electronic spreadsheets - contain a variety of predefined mathematical operations and functions that can be
applied to data entered into the cells of a spreadsheet.

3. Automated workpaper software - designed to generate a trial balance, lead schedules, and other reports useful
for the audit. The schedules and reports can be created once the auditor has either manually entered or
electronically imported through using the client's account balance information into the system.

4. Text retrieval software - allow the user to view any text that is available in an electronic format. The software
program allows the user to browse through text files much as a user would browse through books.

5. Database management systems - manage the creation, maintenance, and processing of information. The data
are organized in the form of predefined records, and the database software is used to select, update, sort, display,
or print the records.

6. Public databases - may be used to obtain accounting information related to particular companies and industries.

7. Word processing software

FACTORS TO CONSIDER IN USING CAAT

1. Degree of technical competence in CIS.

2. Availability of CAAT and appropriate computer facilities.
3. Impracticability of manual tests.
4. Effectiveness and efficiency.
5. Timing of tests - The auditor should make arrangements with the client for the retention of the needed data or
to time the work when such data are available.

Controlling the CAAT application

Procedures to control the use of AUDIT SOFTWARE may include:

1. Participating in the design and testing of computer programs.

2. Checking the coding of the program.
3. Requesting the client's CIS personnel to review the operating system instructions.
4. Running the audit software on small test files before running them on main data files.
5. Ensuring that the correct files were used.
6. Obtaining evidence that the audit software functioned as planned.
7. Establishing appropriate security measures to safeguard against manipulation of the entity's data files.

Procedures to control the use of TEST DATA may include:

1. Controlling the sequence of submission of test data where it spans several processing cycles 2. Performing test
runs.
3. Predicting the results of test data.
4. Confirming that the current version of the program was used
5. Obtaining reasonable assurance that the programs used to process the test data were used by the entity
throughout the applicable audit period.

MULTIPLE CHOICE QUESTIONS

1. Which of the following characteristics distinguishes computer processing from manual processing?
A. Computer processing virtually eliminates the occurrence of computational error normally associated with
manual processing.
B. Errors or fraud in computer processing will be detected soon after their occurrences.
C. The potential for systematic error is ordinarily greater in manual processing than in computerized
processing.
D. Most computer systems are designed so that transaction trails useful for audit purposes do not exist.

2. Which of the following is correct concerning online batch processing of transactions?

A. Transactions are processed in the order they occur, regardless of type.
B. It has largely been replaced by on-line real-time processing in all but legacy systems.
C. It is more likely to result in an easy-to-follow audit trail than is on-line transaction processing.
D. It is used only in nondatabase applications.

3. Which of the following procedures would an entity most likely include in its computer disaster recovery plan?
A. Develop an auxiliary power supply to provide uninterrupted electricity.
B. Store duplicate copies of critical files in a location away from the computer center.
C. Maintain a listing of entity passwords with the network manager.
D. Translate data for storage purposes with a cryptographic secret code.

4. What technology is needed in order to convert a paper document into a computer file?
A. Optical character recognition
B. Electronic data interchange
C. Bar-coding scanning
D. Joining and merging

5. Misstatements in a batch computer system caused by incorrect programs or data may not be detected
immediately because
A. Errors in some transactions may cause rejection of other transactions in the batch.
B. The identification of errors in input data typically is not a part of the program.
C. There are time delays in processing transactions in a batch system.
D. The processing of transactions in a batch system is not uniform.

6. A client is concerned that a power outage or disaster could impair the computer hardware's ability to function as
designed. The client desires off-site back-up hardware facilities that are fully configured and ready to operate
within several hours. The client most likely should consider a
A. Cold site.
B. Cool site.
C. Warm site.
D. Hot Site

7. What type of computer system is characterized by data that are assembled from more than one location and
records that are updated immediately?
A. Microcomputer system
B. Minicomputer system
C. Batch processing system
D. On-line, real-time system
8. End-user computing is most likely to occur on which of the following types of computers?

A. Mainframe
B. Minicomputers
C. Personal computers
D. Personal reference assistants

9. Which of the following statements most likely represents a disadvantage for an entity that keeps
microcomputer-prepared data files rather than manually prepared files?
A. Random error associated with processing similar transactions in different ways is usually greater.
B. It is usually more difficult to compare recorded accountability with physical count of assets
C. Attention is focused on the accuracy of the programming process rather than errors in individual transactions.
D. It is usually easier for unauthorized persons to access and alter the files.

10. To avoid invalid data input, a bank added an extra number at the end of each account number and subjected
the new number to an algorithm. This technique is known as
A. Optical character recognition
B. A check digit
C. A dependency check
D. A format check

11. Preventing someone with sufficient technical skill from circumventing security procedures and making changes
to production programs is best accomplished by
A. Reviewing reports of jobs completed.
B. Comparing production programs with independently controlled copies.
C. Running test data periodically.
D. Providing suitable segregation of duties.

12. Which of the following controls is a processing control designed to ensure the reliability and accuracy of data
processing?

Limit test Validity check test

A. Yes Yes
B. No No
C. No Yes
D. Yes No

13. Which of the following activities would most likely be performed in the information systems department?

A. Initiation of changes to master records.

B. Conversion of information to machine-readable form.
C. Correction of transactional errors.
D. Initiation of changes to existing applications.

14. When computer programs or files can be accessed from terminals, users should be required to enter a(n)

A. Parity check
B. Personal identification code
C. Self-diagnosis test
D. Echo check
15. Which of the following most likely represents a significant deficiency in internal control?

A. The systems analyst reviews applications of data processing and maintains systems documentation.
B. The systems programmer designs systems for computerized applications and maintains output controls.
C. The control clerk establishes control over data received by the information systems department and reconciles
control totals after processing.
D. The accounts payable clerk prepares data for computer processing and enters the data into the computer.

16. Internal control is ineffective when computer department personnel

A. Participate in computer software acquisition decisions.
B. Design documentation for computerized systems.
C. Originate changes in master files.
D. Provide physical security for program files.

17. An auditor would most likely be concerned with which of the following controls distributed data processing
system?
A. Hardware controls
B. Systems documentation controls
C. Access Controls
D. Disaster recovery controls

18. An auditor anticipates assessing control risk at a low level in a computerized environment. Under these
circumstances, on which of the following activities would the auditor initially focus?
A. Programmed control activities
B. Application control activities
C. Output control activities
D. General control activities

19. Auditing by testing the input and output of a computer system instead of program itself will
A. Not detect program errors which do not show up in the output sampled.
B. Detect all program errors, regardless of the nature of the output.
C. Provide the auditor with the same type of evidence.
D. Not provide the auditor with confidence in the results of the auditing procedures.

20. In creating lead schedules for an audit engagement, a CPA often uses automated work paper. What client
information is needed to begin this process?
A. Interim financial information such as third quarter sales, net income, and inventory and receivable balances.
B. Specialized journal information such as the invoice and purchase order numbers of the last few sales and
purchases of the year.
C. General ledger information such as account numbers, prior year account balances, and current year
unadjusted information.
D. Adjusting entry information such as deferrals and accruals, and reclassification journal entries.