ACCTG 027 Auditing in a CIS Environment
Internal Controls in CIS Environment
Internal Controls
Internal Control is the process designed and effected by those
charged with governance, management, and other personnel to
provide reasonable assurance about the achievement of the entity’s
objectives with regard to financial reporting, effectiveness and
efficiency, and compliance with laws and regulations
Reasonable Assurance
Internal control can only provide reasonable assurance and not
absolute because of Inherent Limitations such as:
• Faulty judgments in decision making
• Consideration of relative costs and benefits
• Breakdowns because of human failures, simple errors or mistakes
• Controls can be circumvented by collusion of two or more people
• Management override of internal control system
COMPONENTS OF INTERNAL CONTROL
Control Environment
includes the attitude, awareness, actions of directors and
managements regarding the internal control system and its importance
in the entity. The control environment sets the tone and provides
discipline and structure.
Several factors reflected in the control environment include:
• Integrity and ethical values
• Management philosophy and operating style
• Active participation of those charged with governance
• Commitment to competence
• Personnel policies and procedures
• Assignment of responsibility and authority / Organizational structure
Risk Assessment
Organizational risks, changes in Information System, new IT tools.
Management should adopt policies and procedures that are designed
to identify and analyze the risks affecting the entity’s business and to
take the appropriate action to manage these risks. For audit purposes,
the auditor is concerned only with those risks that are relevant to the
preparation of reliable financial statements.
Control Activities
Policies and procedures to ensure that necessary actions are taken to
address risks to the achievement of preparing reliable financial
statements. Control activities pertain to performance physical controls,
and segregation of duties.
INFOR MATION AND COMMUNICATION
The entity’s information system and procedures for communicating
matters related to the processing of accounting data. This component
generates the financial statements.
MONITORING
The process an entity uses to assess the quality of internal control over
time. It involves assessing the design and operation of controls on a
timely basis and taking corrective action as necessary.
General Controls
General Controls apply overall to IT accounting system, they are not
restricted to any particular accounting application
Authentication of users and limiting unauthorized access
1. Log in restrictions - user id and password
• User ID - uniform but differentiated
• Password - should consists at least 8 characters and
nonalphanumeric. Secret but sometimes acts can defeat the
purpose of password
2. Smart Card and Security Token - reduces unauthorized access.
Also known as two-factor authentication (user has and user know)
3. Biometric Devices – unique physical characteristics of the user
(finger print, retina scans, voice recognition and face recognition)
4. Computer Log – complete record of all dates, times and uses for
each user
• Nonrepudiation - user cannot deny any particular act that he did
on the system
• Log in of customer
5. User Profile - determine the user’s access levels to hardware,
software and data
6. Authority Table – contains the list of valid, authorized users and
the access level granted to each one
7. Configuration table - hardware, software and application programs
can only be changed by authorized users.
Hacking and other network break-ins
1. Firewall - designed to block unauthorized access
2. Encryption - process of converting data into secret codes referred
to as cipher text. Encryption renders the data useless to those who do
not possess the correct encryption key
• Symmetric Encryption - uses single encryption key that must be
used to encrypt data and decode the encrypted data (same key for
sender and receiver)
• Public Key Encryption - uses both public and private encryption
key (sender – public while receiver- private)
3. Wired Equivalency Privacy - encryption method mostly used in
wireless network that uses symmetric encryption key. This method is
susceptible to hacking.
4. Wireless Protected Access - improved encryption method that can
check whether encryption key have been tampered with. It
authenticates computer and user first before transmitting data
5. Service Set Identifier (SSID) - a password that is passed between
the sending and receiving nodes of a wireless network.
6. Virtual Private Network (VPN) - employed when employee
connects to the system through a public network such as internet
7. Secure Socket Layer - Web-based technology can be used to limit
access when employee use Internet. (https: / /)
8. Break Ins - virus or worm inserted in the system
• Virus - self-replicating price of program code that can attach itself
to other programs and data and perform malicious actions such as
deleting files or shutting down the computer
• Worm - small piece of program code that attaches to the computer’s
unused memory space and replicates it
9. Antivirus Software - continually scans the system for viruses and
worms and either deletes or quarantines them
10. Long Range Monitoring
• Vulnerability Assessment – identifies weaknesses of the IT
system before it becomes break ins
• Intrusion Deletion - serves as an alarm when someone tries to
break in with the system
• Penetration Testing - legitimate attempting to break in an IT
system to discover weaknesses
ACCTG 027 Auditing in a CIS Environment
Internal Controls in CIS Environment
Organizational structure Control and Risk Matrix
1. IT governance committee – suitable to a large IT system. It is
composed of top executives such as CEO, CFO, CIO and heads of
business units.
• Align IT system to business strategy
• Budget funds and personnel for the most effective use of the IT
systems
• Oversee and prioritize changes in IT systems
• Develop, monitor, and review IT operational policies
• Develop, monitor and review security policies
2. The manner in which an organization establishes, delegates, and
monitors IT system functions
• Functional responsibilities must be properly segregated (system
analysist, programmers, operators and database administrator)
Physical Environment and physical security of the system
1. Physical Security - it limits the physical access to computer
hardware and software so that malicious acts or vandalism do not
disrupt the system and data are protected
2. Location of the IT system should be in an area that are least at risk
of disaster, area that properly controls dust , temperature and humidity
and fire prevention system that does not use water
3. Uninterruptible Power Supply - to keep the computer running for
several minutes after the power outage
4. Emergency Power Supply - alternative power supply that provides
electrical power when the main source is lost
5. Limited access to computer rooms
6. Video Surveillance Equipment
7. Logs of persons entering and exiting the computer rooms
8. Locked Storage of backup data and offsite backup data
Application Controls
Business Continuity Application Controls
1. Business Continuity Planning - a proactive program for Application Controls are used specifically in accounting applications,
considering risks to the continuation of business and developing plans such as payroll, accounts receivable and sales, to control inputs,
and procedures to reduce those risks. Continuation of IT system is an processes and output.
integral part of business continuity. • Input Controls - intended to ensure the accuracy and
• Strategy for backup and restoration of IT system completeness of data input procedures and the resulting data
• Disaster Recovery Plan • Process Controls - intended to ensure the accuracy and
2. Backup Strategy completeness of processing that occurs in the accounting
• Redundant Server - two or more computer network data server that applications
can run identical processes or maintain the same data (Redundant • Output Controls - intended to help ensure the accuracy,
arrays of independent disks RAIDS) completeness and security of outputs that result from application
• Offsite Backup - additional copy of the backup files stored in an processing
offsite location Input Controls
3. Disaster Recovery Plan - a plan for the continuance of IT system Source Document Controls
after a disaster. Reactive than proactive. • Form Design - source document and input screen should be well-
Risks in CIS Environment designed so that they are easy to understand and use. Ideally, the
• Security Risk - risk that the system is not protected from fields on both source document and input screen should be the
unauthorized access same for easy data entry without uncertainty and errors.
• Availability Risk - risk that the system is not available for operation • Form Authorization and Control - Source document should be
and use as committed and agreed properly authorized and signed by an accountable personnel.
• Processing Integrity Risk - risk that the system processing is not Source Documents should be prenumbered and used in sequence.
complete, accurate, timely and authorized These controls are used to ensure that there will be no missing
• Confidentiality Risk - risk that the information designated as source documents and no unrecorded transactions. Blank Source
confidential is not protected as committed and agreed Documents should be kept in secured area to prevent the use of it
for unauthorized transactions.
• Retention of Source Documents - source documents should be
retained because it can be used as audit trail. This can also help to
answer questions that arise from transaction processing.
Standard Procedures of Data Input
• Data Preparation - process of collecting and preparing source
documents. Employees should be sure which form to use, when to
use the form, how to use them and where to route them. It reduces
ACCTG 027 Auditing in a CIS Environment
Internal Controls in CIS Environment
the chance of lost, misdirect or incorrect data collection from source • Users are the most familiar with the nature of output reports and are
document. therefore most likely to notice if there are errors. Errors noticed by
• Error Handling - Errors discovered should be logged, investigated, users should be logged and corrected.
corrected and resubmitted for processing. Error Log should be • The organization should maintain procedures to protect confidential
regularly reviewed by appropriate manager and corrective actions reports from unauthorized access and misuse.
should be done in a timely basis. • Sensitive data might require users sign off upon receipt of the
Programmed Edit Check reports. It should not be released without the signature
• Field Check - examines the field to determine whether the • The organization should also establish procedures to guide the
appropriate type of data was entered (either number or letter) (not retention and disposal of output. Outputs scheduled for disposal
applicable for both number and letter) (name or date) should be properly removed, depending on the nature of the output.
• Validity Check - examines the field to ensure that the data entry in • The output from IT system is viewed on the screen rather than
the field is value compared with a preexisting list of acceptable examined printed copy. In this case, authentication of user controls
values (Civil Status) can help protect the security and confidentiality of the output.
• Limit Check - check field input against a preestablished limit or Ethical Issues in IT System
limits but only an upper limit (maximum number of hours, no Besides fraud, there are many kinds of unethical behaviors related to
negative) computers, such as the following:
• Range Check - check field input against a preestablished limit to • Misuse of confidential customer information stored in an IT system
both upper and lower limit • Theft of data, such as credit card information, by hackers
• Reasonableness Check - compares the value in a field with those • Employee use of IT system hardware and software for personal use
fields to which it is related to determine whether the value is or personal gain
reasonable. (Pay rate VS Job category code) • Using company email to send offensive, threatening, or sexually
• Completeness Check - assesses the critical fields in an input explicit material
screen to make sure that the value is in those fields. It cannot ensure
that the correct value was entered (SSS number)
• Sign Check - examines a field to determine that it has the
appropriate sign (+ or -)
• Sequence Check - ensures that the batch of transactions is sorted
in order but does not help find the missing transactions because it
checks only sequence not completeness
• Self-checking Digit - is an extra digit added to a coded
identification number, determined by a mathematical algorithm
Control Totals and Reconciliation
• Control Total - subtotals of selected fields for an entire batch of
transactions. Computing totals manually and reconciling it with the
computer-generated totals.
• Record Counts - simple count of the number of records processed
• Batch Totals - totals of financial data such as total gross pay
• Hash Totals – totals of fields that have no apparent logical reasons
to be added (no practical use)
Processing Controls
• First and foremost, it is important to ensure that the application
software has no errors. It can consistently make the same errors
and thus cause many errors in the data. Software should be tested
prior to implementation and should be regularly review thereafter.
Application software may be tested by processing actual data with
known result. The result of processing the data should be compared
with the known result to ensure that there are no errors in
processing.
• Many of input controls such as control totals, limit check, range
check, reasonable check, and sign check can prevent or detect
processing errors.
• Run-to-run controls- reconciliation of control totals at various stages
of processing.
• Computer logs of transactions processed, production run logs, and
error listings can be regularly examined to prevent, detect and
correct other errors.
Output Controls
• There are two primary objectives of Output Controls: (1) ensure the
accuracy and completeness of the output and (2) to properly
manage the safekeeping of output reports to ascertain that security
and confidentiality of the information is maintained.
ACCTG 027 Auditing in a CIS Environment
Unique Characteristics of Specific CIS Environment
Computer
an electronic machine that is used for storing, organizing, and finding
words, numbers, and pictures, for doing calculations, and for
controlling other machines
System
a set of things working together as parts of a mechanism or an
interconnecting network.
Computer Systems
sets of integrated devices that input, output, process, and store data
and information.
System Configuration
Large System Computers
• Consist of mainframe computers, minicomputers, and
supercomputers
• Meant to support hundreds or thousands of users at the same time.
• Can be very expensive to purchase and maintain
• Usually owned by corporations and government agencies
• The processing task of multiple users is performed on a single
centralized computer
• All inputs move directly from the terminal to central processors and
after processing goes back to the users from central processors.
• Why do businesses use Large System Computers?
➢ Reliability
➢ Availability
➢ Serviceability
• All terminals in these systems were called “dumb terminals” as their
terminals were not capable of processing data on their own and
casually serve only as input or output terminals.
• These systems have become more efficient and sophisticated and,
in many instances, dumb
• terminals have given way to intelligent terminals, allowing data
processing at local levels
2. Stand Alone Personal Computers
• One that is not connected to or does not communicate with other
computer system
• Computing is done by an individual at a time
• All input data and its processing take place on the machine itself
• Many small businesses rely on personal computers for all their
accounting functions
• The advantage of stand-alone is damage control, when a computer
is damaged, other computers will not be affected.
• The disadvantages of stand-alone are:
➢ Users are restricted to one computer
➢ Software cannot be installed simultaneously
➢ Harder to monitor
3. Networking Computing System / network
• group of interconnected system sharing services and interacting by
shared communication links.
• all networks have something to share, a transmission medium and
rules for communication.
• interaction through shared communication
• collection of devices connected in a network that share resources
• Network share: hardware and software resources.
Hardware Resources:
1. Client Server
• a server in a network is dedicated to perform specific tasks to
support other computers on the network
• allows for a clear division of labor, with powerful servers handling
complex tasks and various clients utilizing those resources.
2. File Server
• are network applications that store, retrieve, and move data
• multiple users on the network can access, upload, download, and
share files stored on the file server.
3. Database server
• it provides a powerful facility to process data
• organize and manage data in a way that allows for efficient retrieval
and analysis
4. Message Server
• they provide a variety of communication methods which takes the
form of graphics, digitized audio and video
5. Print Server
• manages print services on the network
• acts as a central point for receiving print jobs from user devices and
directing them to the appropriate printer
Software Resources
Software resource sharing provides a facility to share information in
the organization. The networks can also be classified on the basis of
areas covered.
1. Local Area Network (LAN)
• computers located in a small area can be connected through cables.
• one computer acts as the server, it stores the program and data file
centrally that can be accessed by other computers forming part of
the LAN.
• Examples of LAN include:
➢ Home Network
➢ Office Network
➢ School Network
2. Wide Area Network (WAN)
• networks that employ public telecommunications facilities to provide
users with access to the resources of centrally located computers.
• uses public switched telephone network, high speed fiber optic
cable, ratio links or the internet.
• uses modem to connect computers over telephone lines. Modems
are used to convert analog signals into digital and vice versa
• EXAMPLE: The Internet
System Resources
1. Distributed Data processing
• consists of hardware located at least two geographically distinct
sites connected electronically by telecommunications where
processing and data storage occur at two or more than one sites.
• the main computer and the decentralized units communicate via
communication links. A more integrated connection occurs with
cooperative processing where send the output of its processing to
another for completion. The system becomes more complex, where
operating systems to both machines are different.
Source Resources
1. Electronic Data Interchange (EDI)
• the transfer of electronic data from one organizations computer
system to another’s, the data being structures in a commonly
agreed format so that it is directly usable by the receiving
organization computer system.
• EDI groups who which to share data electronically should have EDI
services in order to affect the data exchanges.
• Value added network (VAN) – refers to a closed network where
only those members of the network can have access to the data.
VANs are not connected to the wider
ACCTG 027 Auditing in a CIS Environment
Unique Characteristics of Specific CIS Environment
• The advantages of EDI are:
➢ speed with which an inter-organizational transaction is
processed is minimized
➢ paper works are eliminated
➢ the costs of transaction processing are reduced
➢ reduced human involvement reduces error
Processing Systems
1. Batch Processing
• large volume of homologous transactions are aggregated and
processed periodically.
• Involves the implementation of a system for handling an enormous
amount of data that is sent and received in an organization.
• In situations where individual computing of data seems impractical,
data systems process such tasks in batches, often in off-peak times
when computing resources are more commonly available, such as
at the end of the day or overnight
• Four Stages of Batch Processing:
➢ Occurrence of Transactions - source documents
➢ Recorded in a Transaction file - a batch of source is periodically
transferred to the data entry operator to extract information from
the source document and enter it into the computer format. Once
the data entry is done, the records entered are confirmed with the
source document. Source documents are still stored for future
reference
➢ Updation of Master file - after data is entered, it is processed
and summarized, the master files are updated
➢ Generation of output - reports are periodically generated
2. Online Processing System
• Processing of individual transactions as they occur from their point
of origin as opposed to accumulating them into batches. This is
possible by direct access devices such as magnetic disk and
number of terminals connected to and controlled by central
processors. Various departments in a company can be connected
to the processor by cables. Inquiries are also handled by the online
processing system. Online processing ensures that the records are
in an updated status any time but it is costly
• Key aspects of online processing systems:
➢ Real-time Processing
➢ High Availability
➢ Security
3. Interactive Processing
• a continuous dialogue exists between the user and the computer. It
is also called as “transaction driven” processing as transactions
dealt with completely on an individual basis through all the relevant
processing operations before dealing with the next transaction occur
and inquiries to be dealt with on an immediate response basis
4. Online Real time Processing
• Real time- technique of updating files with transaction data
immediately after the occurrence of the event.
• Real time systems are basically on-line system with one specialty in
inquiry processing.
• The response of the system to the to the inquiry itself is used to
control the activity
• The response of real-time system is one type of feedback control
system
• The response time would naturally differ from one activity to another
• Real time system usually operates in multi-programming and multi-
processing which increase both the availability and reliability of the
system
• CPU’s in real time systems should possess the capability of
“Program Interrupts”. These are temporary stoppage of halts in the
execution of a program so that more urgent message can be
handled on priority
5. Time Sharing
• It allows access to a CPU and files through many remote terminals.
• Multiprogramming is the method of implementing time shared
operations.
• In transaction processing, time sharing occurs when a computer
processes transactions of more than one entity
6. Service Bureau
• It is a company that processes transactions for other entities.
• It handles computer processing for small companies that singly do
not have sufficient transactions to justify the acquisition of a
computer
• What will a service bureau do for you?
➢ Manage trading relationships
➢ Allow you to do business in the same manner as you do today
➢ Scale to your volume of activity
➢ Operate a technical infrastructure
➢ Pay only for what you use
➢ No additional staff required
7. Decision Support System
• system that solving provided tools to managers to assist them in
soloing semi-structures and an unstructured problem
• not intended to make decisions for manager, but rather to provide
managers with a set of capabilities that enables them to generate
information that is required by them for decision making
• supports the human decision-making process rather than providing
a means to replace it
• DSS is characterized by:
➢ support semi-structures or unstructured decision making
➢ flexible enough to respond to the changing need of decision
makers
➢ easy to operate
• Components of DSS:
➢ Users - represent managers at any given level of authority in the
organization
➢ Database - contains routine and nonroutine data from internal
and external sources
➢ Model Base - is the brain of the decision support system because
it performs data manipulations and computations with the data
provided by the user and data base
➢ Decision Maker
➢ Software
8. Expert System
• computerized information system that allows nonexperts to make
decision comparable to that of an expert
• used for complex or ill structured tasks that require experience and
special knowledge in s specific subject areas
• uses Machine learning and Artificial Intelligence (AI) to simulate a
human expert’s mind and logical reasoning.
• requires a good knowledge base to make it reliable.
• Knowledge Acquisition Method:
1. Forward Chaining - uses a set of facts 1. to make a prediction.
ACCTG 027 Auditing in a CIS Environment
Unique Characteristics of Specific CIS Environment
2. Backward Chaining - uses a set of facts to explain how or why • Integrated files are most commonly associated with OLRT (on-line
something happened. real-time) system and pose the greatest challenge to the auditors.
• Components: Control within these systems are harder to test and assess due to
➢ Knowledge base the danger of file destruction.
- includes data, knowledge, relationship, rules of thumb to and • Controls within these systems are harder to test and assess due to
decision rules used by experts to solve a particular type of danger of file destruction
problem. It is the computer equivalent of all the knowledge and • Files may be physically stored on disk in the following way
insight that an expert or a group of experts develop though the ➢ Sequentially records are physically ordered by some fields
years of experience in their field (employee number)
- the brain of the system, storing all the facts, rules, and ➢ Randomly records are stored at a physical address computed by
procedures relevant to the specific area of expertise (data, an algorithm working on a field value
knowledge, relationship, rules of thumb, and decision rules used ➢ Indexed records are physically stored randomly with a
by experts). sequentially ordered index field (by customer) and a pointer to the
➢ Inference Engine physical location of each record
- a program that contains the logic and reasoning mechanisms ➢ Indexed Sequential records are physically stored sequentially
that stimulate the expert system logic process and deliver advice. ordered by some field together with an index which provides
It uses data obtained from both the knowledge base and the user access by some possibly other field
to make associations and inference, forms its conclusion and
recommends a course of action
- the reasoning engine, it analyzes the information, applies rules,
and draws conclusions to arrive at a solution.
➢ User interface
- programs that allows the user to design, create, update, use and
communicate with the expert system
- end users interact with to get an answer to their question or
problem. It allows the user to design, create, update, use, and
communicate with the expert system.
➢ Explanation Facility (Optional)
- facility that provides the user with an explanation of the logic the
expert system uses to arrive
- compliments the inference engine where it explains its
reasoning process to the user.
➢ Knowledge acquisition facility
- building a knowledge base involves both a human expert and a
known ledge engineer. The knowledge engineer is responsible
for extracting an individual’s expertise and using the knowledge
acquisition facility to enter into a knowledge base
- this allows the system to learn and improve over time, keeping
its expertise relevant.

9. Integrated File System

• systems that update many files simultaneously as transaction is
processed.
• processing of a sales order updates the accounts receivable control
accounts and related subsidiary ledger is also updated and the
sales control and sales details are also posted as the sales order is
processed
• contains a set of interrelated master files that are integrated in order
to reduce data redundancy
• software used to control input processing and output is referred to
as DATABASE MANAGEMENT SYSTEM which handles the
storage, retrieval, updating and maintenance of the data in the data
base
• This is commonly associated with online real-time system and pose
the greatest challenge to the auditors