Auditing in CIS Environment

Module I: Introduction to Information Technology (IT) Audit

MODULE IV
INTRODUCTION TO
INFORMATION
TECHNOLOGY (IT)
AUDIT

Module Author
JUDE CAPONPON, CPA, MBA, CTT

Accountancy Department
College of Business Administration and Accountancy
De La Salle University – Dasmarinas

Page 1
Auditing in CIS Environment
Module I: Introduction to Information Technology (IT) Audit

TABLE OF CONTENTS

Contents
TODAY’S GOSPEL .......................................................................................................................................... 3
LEARNING OBJECTIVES:................................................................................................................................. 3
LESSON 1 AUDITING AND IT AUDIT CONCEPTS, PRINCIPLES, TYPES AND PROCESSES ........ 6
Objectives ................................................................................................................................................. 6
Introduction .............................................................................................................................................. 6
Activating Prior Knowledge....................................................................................................................... 6
Acquiring New Knowledge ........................................................................................................................ 7
Types of Audits...................................................................................................................................... 7
Auditing as a Systematic Process .......................................................................................................... 9
The Information Technology (IT) Audit ............................................................................................... 10
Phases of an Information Technology (IT) Audit................................................................................. 11
Internal Control Objectives, Principles, and Models .......................................................................... 12
Risk Assessment .................................................................................................................................. 18
Information and Communication ....................................................................................................... 19
Monitoring .......................................................................................................................................... 20
Control Activities ................................................................................................................................. 20
Categories of Control Activities ......................................................................................................... 21
General Controls ................................................................................................................................. 24
Formative Assessment ................................................................................... Error! Bookmark not defined.
References:..................................................................................................... Error! Bookmark not defined.

Page 2
Auditing in CIS Environment
Module I: Introduction to Information Technology (IT) Audit

LEARNING OBJECTIVES:
While going through the module, the students are expected to:
1. Write a brief reflection about the Gospel;
2. Answer the motivation question;
3. Explain the basic principles and concepts in IT and IT Audit in building awareness of
the significant role of auditing in actual business operations;
4. Gain knowledge on the irregular acts and legal issues in Audit in a CIS Environment
5. Describe the audit process in a CIS Environment

TODAY’S GOSPEL

Psalm 23:1-6
Page 3
Auditing in CIS Environment
Module I: Introduction to Information Technology (IT) Audit

“The Lord is my shepherd, I lack nothing. He makes me lie down in green pastures, he leads me
beside quiet waters, he refreshes my soul. He guides me along the right paths for his name’s
sake. Even though I walk through the darkest valley, I will fear no evil, for you are with me; your
rod and your staff, they comfort me. You prepare a table before me in the presence of my
enemies. You anoint my head with oil; my cup overflows. Surely your goodness and love will
follow me all the days of my life, and I will dwell in the house of the Lord forever.”

Page 4
Auditing in CIS Environment
Module I: Introduction to Information Technology (IT) Audit

Page 5
Auditing in CIS Environment
Module I: Introduction to Information Technology (IT) Audit

LESSON 2 AUDITING AND IT AUDIT CONCEPTS, PRINCIPLES, TYPES AND

PROCESSES

Objectives
1. Know the difference between attest services and advisory services and be able to explain
the relationship between the two
2. Understand the structure of an audit and have a firm grasp of the conceptual elements of
the audit process
3. Understand internal control categories presented in the COSO framework
4. Understand the relationship between general controls, application controls, and financial
data integrity

Introduction
Business organizations undergo different types of audits for different purposes. The most
common of these are external (financial) audits and internal audits.

Financial Audit is an independent, objective evaluation of an organization's financial reports and

financial reporting processes. The primary purpose for financial audits is to give regulators,
investors, directors, and managers’ reasonable assurance that financial statements are accurate
and complete.

The official organization representing and certifying internal auditors, The Institute of Internal
Auditors (or IIA) defines Internal Auditing as 'an independent, objective assurance and
consulting actively designed to add value and improve an organization's operations. It helps an
organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate
and improve the effectiveness of risk management, control, and governance process.'

Activating Prior Knowledge

An Information System is a collection of hardware, software, data, people, and procedures
designed to support data-intensive applications and generate information that supports the day-
to-day, short-range, and long-range activities of users in an organization.

While Accounting Information System consists of the records and methods used to initiate,
identify, analyze, classify, and record the organization’s transactions and to account for the
Page 6
Auditing in CIS Environment
Module I: Introduction to Information Technology (IT) Audit

related assets and liabilities. The quality of information is that the accounting information system
generates impacts management’s ability to take actions and make decisions in connection with
the organization’s operations and to prepare reliable financial statements.

Acquiring New Knowledge

Types of Audits

External Audit
An external audit is an independent attestation performed by an expert—the auditor— who
expresses an opinion regarding the presentation of financial statements. This task, known as the
attest service, is performed by Certified Public Accountants (CPA) who works for public
accounting firms that are independent of the client organization being audited. The audit
objective is always associated with assuring the fair presentation of financial statements. These
audits are, therefore, often referred to as financial audits. The Securities and Exchange
Commission (SEC) requires all publicly traded companies be subject to a financial audit
annually. CPAs conducting such audits represent the interests of outsiders: stockholders,
creditors, government agencies, and the general public.

The CPA’s role is similar in concept to a judge who collects and evaluates evidence and renders
an opinion. A key concept in this process is independence. The judge must remain independent
in his or her deliberations. The judge cannot be an advocate of either party in the trial, but must
apply the law impartially based on the evidence presented. Likewise, the independent auditor
collects and evaluates evidence and renders an opinion based on the evidence. Throughout the
audit process, the auditor must maintain independence from the client organization. Public
confidence in the reliability of the company’s internally produced financial statements rests
directly on an evaluation of them by an independent auditor.

The external auditor must follow strict rules in conducting financial audits. These authoritative
rules have been defined by the SEC, the Financial Accounting Standards Board (FASB), the
AICPA, and by federal law (Sarbanes-Oxley [SOX] Act of 2002). With the passage of SOX,
Congress established the Public Company Accounting Oversight Board (PCAOB), which has to
a great extent replaced the function served by the FASB, and some of the functions of the
AICPA (e.g., setting standards and issuing reprimands and penalties for CPAs who are convicted
of certain crimes or guilty of certain infractions). Regardless, under federal law, the SEC has
final authority for financial auditing.
Page 7
Auditing in CIS Environment
Module I: Introduction to Information Technology (IT) Audit

Internal Audit
The Institute of Internal Auditors (IIA) defines internal auditing as an independent appraisal
function established within an organization to examine and evaluate its activities as a service to
the organization. Internal auditors perform a wide range of activities on behalf of the
organization, including conducting financial audits, examining an operation’s compliance with
organizational policies, reviewing the organization’s compliance with legal obligations,
evaluating operational efficiency, and detecting and pursuing fraud within the firm.

An internal audit is typically conducted by auditors who work for the organization, but this task
may be outsourced to other organizations. Internal auditors are often certified as a Certified
Internal Auditor (CIA) or a Certified Information Systems Auditor (CISA). While internal
auditors self-impose independence to perform their duties effectively, they represent the interests
of the organization. These auditors generally answer to executive management of the
organization or the audit committee of the board of directors, if one exists. The standards,
guidance, and certification of internal audits are governed mostly by the Institute of Internal
Auditors (IIA) and, to a lesser degree, by the Information Systems Audit and Control Association
(ISACA).

Fraud Audits
In recent years, fraud audits have, unfortunately, increased in popularity as a corporate
governance tool. They have been thrust into prominence by a corporate environment in which
both employee theft of assets and major financial frauds by management (e.g., Enron,
WorldCom, etc.) have become rampant. The objective of a fraud audit is to investigate anomalies
and gather evidence of fraud that may lead to criminal conviction. Sometimes fraud audits are
initiated by corporate management who suspect employee fraud. Alternatively, boards of
directors may hire fraud auditors to look into their own executives if theft of assets or financial
fraud is suspected. Organizations victimized by fraud usually contract with specialized fraud
units of public accounting firms or with companies that specialize in forensic accounting.
Typically, fraud auditors have earned the Certified Fraud Examiner (CFE) certification, which is
governed by the Association of Certified Fraud Examiners (ACFE).

Page 8
Auditing in CIS Environment
Module I: Introduction to Information Technology (IT) Audit

Generally Accepted Auditing Standards

Auditing as a Systematic Process

Conducting an audit is a systematic and logical process that applies to all forms of information
systems. While important in all audit settings, a systematic approach is particularly important in
the IT environment. The lack of physical procedures that can be visually verified and evaluated
injects a high degree of complexity into the IT audit (e.g., the audit trail may be purely
electronic, in a digital form, and thus invisible to those attempting to verify it). Therefore, a
logical framework for conducting an audit in the IT environment is critical to help the auditor
identify all-important processes and data files.

Audit Objectives and Audit Procedures Based on Management Assertions

Page 9
Auditing in CIS Environment
Module I: Introduction to Information Technology (IT) Audit

The Information Technology (IT) Audit

The public expression of the auditor’s opinion is the culmination of a systematic financial audit
process that involves three conceptual phases: audit planning, tests of controls, and substantive
testing. Figure 1.1 illustrates the steps involved in these phases. An IT audit focuses on the
computer-based aspects of an organization’s information system; and modern systems employ
significant levels of technology. For example, transaction processing is automated and performed
in large part by computer programs. Similarly source documents, journals, and ledgers that
traditionally were paper-based are now digitized and stored in relational databases. As we will
see later, the controls over these processes and databases become central issues in the financial
audit process.

Page 10
Auditing in CIS Environment
Module I: Introduction to Information Technology (IT) Audit

Phases of an Information Technology (IT) Audit

Audit Planning
The first step in the IT audit is audit planning. Before the auditor can determine the nature and
extent of the tests to perform, he or she must gain a thorough understanding of the client’s
business. A major part of this phase of the audit is the analysis of audit risk. The auditor’s
objective is to obtain sufficient information about the firm to plan the other phases of the audit.
The risk analysis incorporates an overview of the organization’s internal controls. During the
review of controls, the auditor attempts to understand the organization’s policies, practices, and
structure. In this phase of the audit, the auditor also identifies the financially significant
applications and attempts to understand the controls over the primary transactions that are
processed by these applications.

The techniques for gathering evidence at this phase include conducting questionnaires,
interviewing management, reviewing systems documentation, and observing activities. During
this process, the IT auditor must identify the principal exposures and the controls that attempt to
reduce these exposures. Having done so, the auditor proceeds to the next phase, where he or she
tests the controls for compliance with pre-established standards.

Tests of Controls
The objective of the tests of controls phase is to determine whether adequate internal controls are
in place and functioning properly. To accomplish this, the auditor performs various tests of
controls. The evidence-gathering techniques used in this phase may include both manual
techniques and specialized computer audit techniques. We shall examine several such methods
later in this text.

At the conclusion of the tests-of-controls phase, the auditor must assess the quality of the internal
controls by assigning a level for control risk. As previously explained, the degree of reliance that
the auditor can ascribe to internal controls will affect the nature and extent of substantive testing
that needs to be performed.

Page 11
Auditing in CIS Environment
Module I: Introduction to Information Technology (IT) Audit

Substantive Testing
The third phase of the audit process focuses on financial data. This phase involves a detailed
investigation of specific account balances and transactions through what are called substantive
tests. For example, a customer confirmation is a substantive test sometimes used to verify
account balances. The auditor selects a sample of accounts receivable balances and traces these
back to their source—the customers—to determine if the amount stated is in fact owed by a bona
fide customer. By so doing, the auditor can verify the accuracy of each account in the sample.
Based on such sample findings, the auditor is able to draw conclusions about the fair value of the
entire accounts receivable asset. Some substantive tests are physical, labor-intensive activities,
such as counting cash, counting inventories in the warehouse, and verifying the existence of
stock certificates in a safe. In an IT environment, the data needed to perform substantive tests
(such as account balances and names and addresses of individual customers) are contained in
data files that often must be extracted using Computer-Assisted Audit Tools and Techniques
(CAATTs) software. In a later chapter of this text, we will examine the role of CAATTs in
performing traditional substantive tests and other data analysis and reporting tasks.

Internal Control Objectives, Principles, and Models

The establishment and maintenance of a system of internal control is an important management
obligation. A fundamental aspect of management’s stewardship responsibility is to provide
shareholders with reasonable assurance that the business is adequately controlled. Additionally,
management has a responsibility to furnish shareholders and potential investors with reliable
financial information on a timely basis.

An organization’s internal control system comprises policies, practices, and procedures to

achieve four broad objectives:

1. To safeguard assets of the firm.

2. To ensure the accuracy and reliability of accounting records and information.
3. To promote efficiency in the firm’s operations.
4. To measure compliance with management’s prescribed policies and procedures.

Page 12
Auditing in CIS Environment
Module I: Introduction to Information Technology (IT) Audit

Objectives
The internal control system should provide reasonable assurance that the four broad objectives of
internal control are met. This reasonableness means that the cost of achieving improved control
should not outweigh its benefits.

The internal control system should achieve the four broad objectives regardless of the data
processing method used (whether manual or computer based). However, the specific techniques
used to achieve these objectives will vary with different types of technology.

Limitations
Every system of internal control has limitations on its effectiveness:

1. The possibility of error

2. Personnel circumvention
3. Management to override control procedures
4. Changing conditions that may change over time

Page 13
Auditing in CIS Environment
Module I: Introduction to Information Technology (IT) Audit

Management’s Responsibility

PDC Model

Preventive Controls
Prevention is the first line of defense in the control structure. Preventive controls are passive
techniques designed to reduce the frequency of occurrence of undesirable events. Preventive
controls force compliance with prescribed or desired actions and thus screen out aberrant events.
When designing internal control systems, an ounce of prevention is most certainly worth a pound
of cure. Preventing errors and fraud is far more cost-effective than detecting and correcting
problems after they occur. The vast majority of undesirable events can be blocked at this first
level. For example, a well-designed data entry screen is an example of a preventive control. The
logical layout of the screen into zones that permit only specific types of data, such as customer
name, address, items sold, and quantity, forces the data entry clerk to enter the required data and
prevents necessary data from being omitted.

Page 14
Auditing in CIS Environment
Module I: Introduction to Information Technology (IT) Audit

Detective Controls
Detection of problems is the second line of defense. Detective controls are devices, techniques,
and procedures designed to identify and expose undesirable events that elude preventive
controls. Detective controls reveal specific types of errors by comparing actual occurrences to
pre-established standards. When the detective control identifies a departure from standard, it
sounds an alarm to attract attention to the problem.

For example, assume that because of a data entry error, a customer sales order record contains
the following data:

Quantity Unit Price Total

10 P 10 P 1,000

Before processing this transaction and posting to the accounts, a detective control should
recalculate the total value using the price and quantity. Thus, this error above would be detected.

Corrective Controls
Corrective actions must be taken to reverse the effects of detected errors. There is an important
distinction between detective controls and corrective controls. Detective controls identify
undesirable events and draw attention to the problem; corrective controls actually fix the
problem. For any detected error, there may be more than one feasible corrective action, but the
best course of action may not always be obvious. For example, in viewing the preceding error,
your first inclination may have been to change the total value from P1,000 to P100 to correct the
problem. This presumes that the quantity and price values in the record are correct; they may not
be. At this point, we cannot determine the real cause of the problem; we know only that one
exists.

Page 15
Auditing in CIS Environment
Module I: Introduction to Information Technology (IT) Audit

Linking a corrective action to a detected error, as an automatic response, may result in an

incorrect action that causes a worse problem than the original error. For this reason, error
correction should be viewed as a separate control step that should be taken cautiously.

COSO Internal Control Framework

The COSO framework consists of five components: the control environment, risk assessment,
information and communication, monitoring, and control activities. The Control Environment
The control environment is the foundation for the other four control components. The control
environment sets the tone for the organization and influences the control awareness of its
management and employees. Important elements of the control environment are:

 The integrity and ethical values of management.

 The structure of the organization. The participation of the organization’s board of
directors and the audit committee, if one exists.
 Management’s philosophy and operating style.
 The procedures for delegating responsibility and authority.
 Management’s methods for assessing performance.
 External influences, such as examinations by regulatory agencies.
 The organization’s policies and practices for managing its human resources.

SAS 109 requires that auditors obtain sufficient knowledge to assess the attitude and awareness
of the organization’s management, board of directors, and owners regarding internal control. The
following paragraphs provide examples of techniques that may be used to obtain an
understanding of the control environment.

1. Auditors should assess the integrity of the organization’s management and may use
investigative agencies to report on the backgrounds of key managers. Some of the “Big
Four” public accounting firms employ former FBI agents whose primary responsibility is
to perform background checks on existing and prospective clients. If cause for serious
reservations comes to light about the integrity of the client, the auditor should withdraw
from the audit. The reputation and integrity of the company’s managers are critical

Page 16
Auditing in CIS Environment
Module I: Introduction to Information Technology (IT) Audit

factors in determining the auditability of the organization. Auditors cannot function

properly in an environment in which client management is deemed unethical and corrupt.
2. Auditors should be aware of conditions that would predispose the management of an
organization to commit fraud. Some of the obvious conditions may be lack of sufficient
working capital, adverse industry conditions, bad credit ratings, and the existence of
extremely restrictive conditions in bank or indenture agreements. If auditors encounter
any such conditions, their examination should give due consideration to the possibility of
fraudulent financial reporting. Appropriate measures should be taken, and every attempt
should be made to uncover any fraud.
3. Auditors should understand a client’s business and industry and should be aware of
conditions peculiar to the industry that may affect the audit. Auditors should read
industry-related literature and familiarize themselves with the risks that are inherent in
the business.
4. The board of directors should adopt, as a minimum, the provisions of SOX. In addition,
the following guidelines represent established best practices.
 Separate CEO and chairman. The roles of CEO and board chairman should be
separate. Executive sessions give directors the opportunity to discuss issues
without management present, and an independent chairman is important in
facilitating such discussions.
 Set ethical standards. The board of directors should establish a code of ethical
standards from which management and staff will take direction. At a minimum, a
code of ethics should address such issues as outside employment conflicts,
acceptance of gifts that could be construed as bribery, falsification of financial
and/or performance data, conflicts of interest, political contributions,
confidentiality of company and customer data, honesty in dealing with internal
and external auditors, and membership on external boards of directors.
 Establish an independent audit committee. The audit committee is responsible for
selecting and engaging an independent auditor, ensuring that an annual audit is
conducted, reviewing the audit report, and ensuring that deficiencies are
addressed. Large organizations with complex accounting practices may need to
create audit subcommittees that specialize in specific activities.
 Compensation committees. The compensation committee should not be a rubber
stamp for management. Excessive use of short-term stock options to compensate
directors and executives may result in decisions that influence stock prices at the
Page 17
Auditing in CIS Environment
Module I: Introduction to Information Technology (IT) Audit

expense of the firm’s long-term health. Compensation schemes should be

carefully evaluated to ensure that they create the desired incentives.
 Nominating committees. The board nominations committee should have a plan to
maintain a fully staffed board of directors with capable people as it moves
forward for the next several years. The committee must recognize the need for
independent directors and have criteria for determining independence. For
example, under its newly implemented governance standards, General Electric
(GE) considers directors independent if the sales to, and purchases from, GE total
less than 1 percent of the revenue of the companies for which they serve as
executives. Similar standards apply to charitable contributions from GE to any
organization on which a GE director serves as officer or director. In addition, the
company has set a goal that two-thirds of the board will be independent
nonemployees.
 Access to outside professionals. All committees of the board should have access
to attorneys and consultants other than the corporation’s normal counsel and
consultants. Under the provisions of SOX, the audit committee of an SEC
reporting company is entitled to such representation independently

Risk Assessment
Organizations must perform a risk assessment to identify, analyze, and manage risks relevant to
financial reporting. Risks can arise or change from circumstances such as:

 Changes in the operating environment that impose new or changed competitive pressures
on the firm.
 New personnel who have a different or inadequate understanding of internal control.
 New or reengineered information systems that affect transaction processing.
 Significant and rapid growth that strains existing internal controls.
 The implementation of new technology into the production process or information system
that impacts transaction processing.
 The introduction of new product lines or activities with which the organization has little
experience.
 Organizational restructuring resulting in the reduction and/or reallocation of personnel
such that business operations and transaction processing are affected.
Page 18
Auditing in CIS Environment
Module I: Introduction to Information Technology (IT) Audit

 Entering into foreign markets that may impact operations (that is, the risks associated
with foreign currency transactions).
 Adoption of a new accounting principle that impacts the preparation of financial
statements. SAS 109 requires that auditors obtain sufficient knowledge of the
organization’s risk assessment procedures to understand how management identifies,
prioritizes, and manages the risks related to financial reporting.

Information and Communication

The accounting information system consists of the records and methods used to initiate, identify,
analyze, classify, and record the organization’s transactions and to account for the related assets
and liabilities. The quality of information that the accounting information system generates
impacts management’s ability to take actions and make decisions in connection with the
organization’s operations and to prepare reliable financial statements. An effective accounting
information system will:

 Identify and record all valid financial transactions.

 Provide timely information about transactions in sufficient detail to permit proper
classification and financial reporting.
 Accurately measure the financial value of transactions so their effects can be recorded in
financial statements.
 Accurately record transactions in the time period in which they occurred.

SAS 109 requires that auditors obtain sufficient knowledge of the organization’s information
system to understand:

 The classes of transactions that are material to the financial statements and how those
transactions are initiated.
 The accounting records and accounts that are used in the processing of material
transactions.
 The transaction processing steps involved from the initiation of a transaction to its
inclusion in the financial statements.

Page 19
Auditing in CIS Environment
Module I: Introduction to Information Technology (IT) Audit

 The financial reporting process used to prepare financial statements, disclosures, and
accounting estimates.

Monitoring
Management must determine that internal controls are functioning as intended. Monitoring is the
process by which the quality of internal control design and operation can be assessed. This may
be accomplished by separate procedures or by ongoing activities.

An organization’s internal auditors may monitor the entity’s activities in separate procedures.
They gather evidence of control adequacy by testing controls and then communicate control
strengths and weaknesses to management. As part of this process, internal auditors make specific
recommendations for improvements to controls.

Ongoing monitoring may be achieved by integrating special computer modules into the
information system that capture key data and/or permit tests of controls to be conducted as part
of routine operations. Embedded modules thus allow management and auditors to maintain
constant surveillance over the functioning of internal controls.

Another technique for achieving ongoing monitoring is the judicious use of management reports.
Timely reports allow managers in functional areas such as sales, purchasing, production, and
cash disbursements to oversee and control their operations. By summarizing activities,
highlighting trends, and identifying exceptions from normal performance, well-designed
management reports provide evidence of internal control function or malfunction.

Control Activities
Control activities are the policies and procedures used to ensure that appropriate actions are
taken to deal with the organization’s identified risks. Control activities can be grouped into two
distinct categories: physical controls and information technology (IT) controls.

Page 20
Auditing in CIS Environment
Module I: Introduction to Information Technology (IT) Audit

Categories of Control Activities

Physical Controls
This class of controls relates primarily to the human activities employed in accounting
systems. These activities may be purely manual, such as the physical custody of assets, or
they may involve the physical use of computers to record transactions or update accounts.
Physical controls do not relate to the computer logic that actually performs accounting
tasks. Rather, they relate to the human activities that trigger and utilize the results of
those tasks. In other words, physical controls focus on people, but are not restricted to an
environment in which clerks update paper accounts with pen and ink. Virtually all
systems, regardless of their sophistication, employ human activities that need to be
controlled.

a. Transaction Authorization. The purpose of transaction authorization is to ensure that

all material transactions processed by the information system are valid and in
accordance with management’s objectives.

Page 21
Auditing in CIS Environment
Module I: Introduction to Information Technology (IT) Audit

Authorizations may be general or specific. General authority is granted to operations

personnel to perform day-to-day activities. An example of general authorization is the
procedure to authorize the purchase of inventories from a designated vendor only
when inventory levels fall to their predetermined reorder points. This is called a
programmed procedure (not necessarily in the computer sense of the word) in which
the decision rules are specified in advance, and no additional approvals are required.
On the other hand, specific authorizations deal with case-by-case decisions associated
with non-routine transactions. An example of this is the decision to extend a
particular customer’s credit limit beyond the normal amount. Specific authority is
usually a management responsibility.

b. Segregation of Duties. One of the most important control activities is the segregation
of employee duties to minimize incompatible functions. Segregation of duties can
take many forms, depending on the specific duties to be controlled.

c. Supervision. Implementing adequate segregation of duties requires that a firm employ

a sufficiently large number of employees. Achieving adequate segregation of duties
often presents difficulties for small organizations. Obviously, it is impossible to
separate five incompatible tasks among three employees. Therefore, in small
organizations or in functional areas that lack sufficient personnel, management must
compensate for the absence of segregation controls with close supervision. For this
reason, supervision is often called a compensating control.

An underlying assumption of supervision control is that the firm employs competent

and trustworthy personnel. Obviously, no company could function for long on the
alternative assumption that its employees are incompetent and dishonest. The
competent and trustworthy employee assumption promotes supervisory efficiency.
Firms can thus establish a managerial span of control whereby a single manager
supervises several employees. In manual systems, maintaining a span of control tends
to be straightforward because both manager and employees are at the same physical
location.

Page 22
Auditing in CIS Environment
Module I: Introduction to Information Technology (IT) Audit

d. Accounting Records. The accounting records of an organization consist of source

documents, journals, and ledgers. These records capture the economic essence of
transactions and provide an audit trail of economic events. The audit trail enables the
auditor to trace any transaction through all phases of its processing from the initiation
of the event to the financial statements.

Organizations must maintain audit trails for two reasons. First, this information is
needed for conducting day-to-day operations. The audit trail helps employees respond
to customer inquiries by showing the current status of transactions in process. Second,
the audit trail plays an essential role in the financial audit of the firm. It enables
external (and internal) auditors to verify selected transactions by tracing them from
the financial statements to the ledger accounts, to the journals, to the source
documents, and back to their original source. For reasons of both practical expedience
and legal obligation, business organizations must maintain sufficient accounting
records to preserve their audit trails.

e. Access Control. The purpose of access controls is to ensure that only authorized
personnel have access to the firm’s assets. Unauthorized access exposes assets to
misappropriation, damage, and theft. Therefore, access controls play an important
role in safeguarding assets.

Access to assets can be direct or indirect. Physical security devices, such as locks,
safes, fences, and electronic and infrared alarm systems, control against direct access.
Indirect access to assets is achieved by gaining access to the records and documents
that control the use, ownership, and disposition of the asset. For example, an
individual with access to all the relevant accounting records can destroy the audit trail
that describes a particular sales transaction. Thus, by removing the records of the
transaction, including the accounts receivable balance, the sale may never be billed
and the firm will never receive payment for the items sold. The access controls
needed to protect accounting records will depend on the technological characteristics
of the accounting system. Indirect access control is accomplished by controlling the
use of documents and records and by segregating the duties of those who must access
and process these records.

Page 23
Auditing in CIS Environment
Module I: Introduction to Information Technology (IT) Audit

f. Independent Verification. Verification procedures are independent checks of the

accounting system to identify errors and misrepresentations. Verification differs from
supervision because it takes place after the fact, by an individual who is not directly
involved with the transaction or task being verified. Supervision takes place while the
activity is being performed, by a supervisor with direct responsibility for the task.
Through independent verification procedures, management can assess:
1. The performance of individuals,
2. The integrity of the transaction processing system, and
3. The correctness of data contained in accounting records. Examples of independent
verifications include:
 Reconciling batch totals at points during transaction processing.
 Comparing physical assets with accounting records. Reconciling
subsidiary accounts with control accounts.
 Reviewing management reports (both computer and manually generated)
that summarize business activity. The timing of verification depends on
the technology employed in the accounting system and the task under
review. Verifications may occur several times an hour or several times a
day. In some cases, verification may occur daily, weekly, monthly, or
annually.

General Controls
These are controls applied to all systems and are not application-specific. Also, these are
controls over IT Governance, IT Infrastructure, security and access to operating systems
and databases, application acquisition and development, and program change procedures.
In addition, general controls are needed to support the functioning of application controls,
and both are needed to ensure accurate financial reporting.

Page 24
Auditing in CIS Environment
Module I: Introduction to Information Technology (IT) Audit

Hall, J. (2016). Information Technology Auditing and Assurance, 4th Edition. South-Western:
Cengage Learning
IT Audit and AIS Quick Guides 2019 version by FIT Academy
https://learn.comptia.org/
https://help.sap.com/saphelp_sbo882/helpdata/en/45/0a572b37ca1f2ce10000000a1553f6/content
.htm?no_cache=true
https://help.sap.com/saphelp_sbo882/helpdata/en/45/0a574437ca1f2ce10000000a1553f6/content
.htm?no_cache=true
https://searchsap.techtarget.com/definition/SAP-Business-One
https://www.erp-information.com/database-management-system.html

Page 25