Auditing in a CIS environment

by Katherine Bagshaw
01 Oct 1998
This article is the third in a series of four, covering the most commonly examined subjects in
paper 6. In the August edition of the Students Newsletter, we looked at the audit of
inventories. This month, we look at auditing in a Computer Information Systems (CIS)
environment.
Auditing in a CIS environment is, of course, the rule rather than the exception. The paper 6
examiner states that students should assume that accounting systems in exam questions are
computerised. Auditors all over the world now use computers to a greater or lesser extent, and
the proportion of their clients without a single PC must be very small . So once again, the
subject is important in practice as well as in theory.
There is a substantial body of guidance in this area which includes the following ISAs
(International Standards on Auditing) and IAPSs (International Auditing Practice Statements):
(i) ISA 401, Auditing in a Computer Information Systems Environment;
(ii) ISA 402, Audit Considerations Relating to Entities Using Service Organisations;
(iii)IAPS 1001, CIS Environments Stand-Alone Microcomputers;
(iv) IAPS 1002, CIS Environments On-Line Computer Systems;
(v) IAPS 1003, CIS Environments Databases;
(vi) IAPS 1008, CIS Environments Risk Assessments and Internal Control CIS
Characteristics and Considerations;
(vii)IAPS 1009, CIS Environments Computer-Assisted Audit Techniques.
Much of the IAPSs are taken up with descriptions of the various types of system and the issues
involved in auditing them. This article will take a rather more practical approach to exam
questions, as in previous articles. Dont worry about this area if you are not particularly
computer literate, the examiner does not expect you to have any specialist knowledge and you
can answer questions perfectly well with very little practical experience. Remember that there is
some crossover with the paper 5 syllabus here and you get double benefit from studying the
area!
There are four basic types of question that come up in the exam:

Type A what are the particular features and risks involved in auditing in a CIS environment?
Type B what CIS controls would you expect to find in this particular area?
Type C how do auditors use computers in performing audits?
Type D how would you use CAATS (ComputerAssisted Audit Techniques) in this area?
The area covered by ISA 402 is one that has not been examined frequently in the past, and it is
unlikely to form the subject matter of a full question.
TYPE A Questions
Type A questions deal with the features and risks involved in auditing in a CIS environment.
The IAPSs noted above deal with the features and risks of different types of system, but there
are elements common to them all. A typical Type A question might read as follows:
Type A question
Set out the CIS factors you will take into consideration when planning
the audit of a small enterprise that has acquired a network of PCs in its
only office, during the current period.

The suggested answer that follows is split into two parts. Part (a) deals with general CIS factors
which would be applicable to many different types of system. Part (b) deals with the effect of
the change in the system on audit planning.

Type A suggested answer

(a) CIS Factors
(i) Consistency of performance
Consistency of performance is both a strength and a weakness.
Computer systems are more reliable than manual systems. A
properly programmed application will process transactions
consistently accurately, a program with errors will make errors
consistently.
(ii) Concentration of knowledge, programs and data files
The number of computer specialists involved in a CIS environment
will generally be low. In small organisations, there might only be
one individual with a detailed knowledge of the functioning of the
system as a whole. Such individuals are in a position to alter
programs and data, and potentially conceal fraud. Transaction,
masterfile and program data are often held together, which
increases the potential for unauthorised access. Performing proper
risk assessments may be difficult for an audit firm that employs
very few computer specialists.

(iii) Ease of access to data and programs

This problem can be particularly acute where data can be altered
from remote terminals. There is still a widespread belief that
computers and the records contained on them are inherently safer,
and less vulnerable to loss and corruption than manual systems,
where in fact the reverse is true.
(iv) Automatically generated transactions
Most systems are capable of generating transactions without
human intervention. For example, bank interest is almost always
charged automatically. The lack of authorisation and
documentation can be a significant audit issue if many transactions
are generated this way.
(v) Lack of source documentation and audit trail
Computers do not show handwriting, and the proper authorisation
and attribution of transactions processed is correspondingly
important. Many systems report by exception only, and this can
make an audit trail difficult to follow if there is no hard copy of all
transactions processed.
(vi) Programmed controls
Programmed controls are generally not visible and therefore need
to be tested indirectly, or using test data. There may also be a
belief that general IT controls are unimportant, or inexpensive.
(vii)Vulnerability of storage media
The data stored on discs, tapes and cartridges, is highly vulnerable
to loss, corruption, theft and destruction.
(viii) Multiple update of files
Incorrect entries, particularly when encoded, may result in incorrect
data in many different accounts, particularly in database systems.
(b) Acquisition of network
(i) Before the change
The system will need to be assessed and tested as normal.
(ii) The changeover
The auditor must ensure that all records have been properly
removed from the old system and entered into the new one. This
will probably involve the use of control totals, but may be
complicated by the consolidation and subdivision of codes,
together with a housekeeping exercise to remove redundant
records or codes. The client should be informed of the need to

keep an adequate audit trail, and he may require the auditors

assistance.
(iii) After the changeover
The auditor will need to document and assess the new system
before deciding what audit approach to take. In small systems, and
particularly where there are networks, there are likely to be
teething problems for the first few weeks or months after
implementation. If two systems are run in parallel, it may be
possible to rely on the old system for a while.

TYPE B Questions Type B questions are probably the commonest. They require you either to
set out what controls you would expect to see in a particular area, or, they ask you to explain the
weaknesses in a given situation. We dealt with the approach to exam questions, and controls
generally, in a previous article. Here, we will simply revise the basic types of computer control,
in order to familiarise ourselves with the terminology.
We saw in the previous article, that the control environment is assessed alongside specific
control procedures. In the context of computers, we deal with general CIS controls and CIS
application controls. Note that not all computer controls are necessarily computerised!
(a) General CIS Controls
The purpose of general CIS controls is to establish a framework of
overall control. General CIS controls act as an umbrella to CIS
application controls. Rather than deal with the control objectives
set out by IAPS 1008, which are rather too theoretical for most
students, the following constitutes a list of general CIS controls that
you can draw on to answer questions in this area:
(i) Access controls include the use of security personnel, locked
doors, keypads, swipecards and logical access controls
(passwords) that allow only authorised individuals access to the
relevant areas of the system. More sophisticated procedures would
include voice, fingerprint and retina recognition. Systems software
data shows who has attempted to enter the system, when, what
files were used and so on. Analysis of this data goes some way to
detecting, and therefore preventing, unauthorised access.
(ii) Encryption and callback procedures help prevent hacking,
particularly where public telecommunications lines or networks are
involved. File transfer protocols are necessary to ensure the
complete and accurate transfer of data without loss.
(iii) Read Only Memory (ROM) is necessary for the more important
program and data files, version control and file libraries help
protect data generally.
(iv) The use of antiviral software, the enforcement of policies

discouraging the use of non-authorised software, effective disaster

recovery and contingency planning all help to minimise the risks
associated with the loss or corruption of data. Simple fire and flood
prevention measures help control the hardware, as well as
software.
(v) Systems development controls such as the use of proper
programming standards, qualified programmers, testing and
conversion procedures, are all necessary to ensure that the
system does not fail for the lack of properly controlled design and
development.
This is by no means an exhaustive list of controls and there are
many others that you may wish to add. Remember that general
CIS controls are non-specific to any particular application, they
protect the system as a whole. You should note that weak general
CIS controls compromise the efficacy of CIS application controls.
(b) CIS application controls
The purpose of CIS application controls is to provide assurance
that all transactions are authorised, recorded and processed,
completely, accurately and on a timely basis. Again, we shall look
at examples of specific control procedures.
Controls that ensure the completeness of recording and
processing, often also ensure accuracy, so one control procedure
may have several objectives. The following list again, is not
exhaustive:
(i) Batch and hash totals are designed to check the completeness
and accuracy of inputs. Hash totals are meaningless numbers
created by the addition of, say, employee numbers on a payroll or
customer codes on a batch of invoices.
(ii) Sequence checks and document counts ensure the
completeness of input, and like batch and hash totals, can often be
reconstructed at the output stage.
(iii) Parameter (or reasonableness) checks ensure, usually,
that the value of a transaction is not totally wrong, they do not
ensure that it is absolutely right!
(iv) Check digits are single digits that appear somewhere within
codes, such as bar codes. They are arrived at by the application of
a mathematical formula (such as Modulus 11) that is designed to
give a single figure remainder, that forms the check digit. If the
code has been input incorrectly, and the formula is applied, an
incorrect check digit will be calculated and an exception report
produced. Check digits are thus a check on accuracy.
(v) Screen prompts (do you really want to quit? y/n) help

prevent many types of input error.

(vi) Existence checks ensure that the customer, supplier, or
employee who is being entered on a transaction file, actually exists
on the masterfile.
(vii) Consistency checks help ensure that one part of the
transaction being entered is consistent with another, e.g., if there is
a charge for carriage, there should also be a charge for goods.
(viii) Authorisation controls are both manual and computerised and
are essential to prevent the recording of invalid and inaccurate
transactions.

TYPES C & D Questions

Type C questions (how do auditors use computers in performing audits?), are not really dealt
with in the ISAs or IAPSs noted above. You can rely on your experience here if you use
computers on a day-to-day basis, and if you do not, remember that anything that can be done
with a pen and paper, can probably be done with a computer! Type D questions (how would you
use CAATS in this area?) are covered by their own IAPS, and unless you work in a specialist
computer audit department, you are unlikely to have any significant experience of their use.
Consider the following question taken from the June 1997 paper:
Types C & D question
The senior partner of your firm of external auditors is proposing that portable
PCs (i.e., microcomputers) should be available on audits. He is aware that
the speed and storage capacity of PCs has increased dramatically in recent
years and that PCs can be connected to the clients computers.
In view of your recent studies for paper 5 and paper 6, the senior partner has
asked you to write a memorandum on the use of PCs in audit work.
The following areas have been suggested as suitable applications of PCs
to audit work:
(a) spreadsheets;
(b) statistical packages;
(c) using computer-assisted audit techniques (CAATs) to test computerised
accounting systems and controls over access to the computer;
(d) word processing and similar packages to record audit work.

Your firm audits companies which use PCs and minicomputers in processing
and recording their accounting information. In the larger and more modern
systems, data is input into the system through terminals in remote
departments.
You are required to write a memorandum to the senior partner of your
audit firm on the application and use of PCs in the work of external
auditors. You should include topics (a) to (d) above and any others you
consider relevant. (20 marks)

To get maximum marks for a question like this, you need to use a proper memorandum format,
as in the suggested answer below. Every firm has a different layout for memos, so the precise
format is not important. There can be anything up to four marks allocated to style and
presentation in a 20 mark question such as this.
Types C & D Suggested Answer
MEMORANDUM
To: S. Partner
From: J Smith
Date: 12 August, 19X8
Subject: The Application and Use of PCs
This memorandum covers the use of PC applications on audits
under the following headings:
(a) spreadsheets
(b) statistical packages
(c) word processors
(d) CAATs
(e) practice considerations
(a) Spreadsheets
Spreadsheets are sheets, similar to analysis paper, divided
into individually referenced cells that can be programmed with
formulae in order to calculate and recalculate quickly and
accurately. They hold much more data than can be comfortably
held on analysis paper.

Spreadsheets can be used in the following areas:

(i) Accounts preparation
Good quality inexpensive, standardised accounts preparation
packages are now available and are suitable for anything from the
smallest of entities, to large consolidation packages. Many of these
are spreadsheet based.
(ii) Time/cost budgeting
The firms staffing requirements and planning can be performed
using spreadsheets and individual audits can be costed and
budgeted using integrated software.
(iii) Analytical procedures
Analytical procedures that involve the calculation of trends, ratios
and other relationships can be dealt with effectively using
spreadsheets. Data in relation to financial performance and
position can be held for comparison with subsequent years, and
the use of spreadsheets facilitates consistency, particularly where
there are changes of staff.
(b) Statistical packages
This type of package is particularly useful in the application of
sampling procedures. Packages can, for example:
(i) select the number of items to test, within given parameters of
risk and assurance required;
(ii) select which items to test, at random, on a systematic, block or
monetary basis;
(iii) analyse results, by means of extrapolation to the
population as a whole.
Such packages increase the efficiency of the audit as they promote
accuracy and speed, and facilitate delegation and review. The
danger is that the package will be used mechanically, without the
proper use of professional judgement and that the results will be
assumed to be correct, simply because they have been produced
by the computer.
If the auditors PCs can be connected to the clients PCs, or are
compatible with them, there will be no need to input data relating to
populations from which samples are drawn, as they can be taken
directly from the clients system. This may represent a
considerable time and cost saving.

(c) Word processing

Word processing is used in almost all areas of the audit. It is used
for the routine production of reports, faxes, letters, memos, emails
and other communications. It reduces the need for support staff
and shortens the time in which documents can be produced, as the
packages are user-friendly and can be used by professional staff.
It also improves client and staff relations, particularly where email
can be used to eliminate the physical movement of large
documents that need to be reviewed or edited.
Specifically, it can be used to produce audit programs, audit
planning documentation, ordinary working papers, lead schedules,
and almost all other current file documentation. Providing there is
adequate backup and proper contingency planning, it may be
possible to reduce the number of paper based files kept, with a
consequent reduction in storage costs.
(d) CAATs
CAATs are now available as standardised packages, but are
generally still only used for larger clients as they are relatively
expensive. They are, however, cost effective in the long run as
they are quicker and more accurate than conventional techniques.
The effective use of CAATs relies on the co-operation of clients and
a proper understanding of their use.
There are two basic categories of CAAT:
(i) Audit Software
Audit software is primarily used for substantive procedures. Client
data is processed though the auditors programs. These
programs can, for example:
1 check additions;
2 select high value, static, or negative transactions and balances,
for review;
3 perform, or re-perform the ageing of a ledger;
4 select samples for further testing.
The data can be downloaded directly from the clients system, or
re-input into the auditors system. Obviously, the better the
communications between auditor and client systems, the more
efficient this process will be. Embedded audit facilities amount
to audit software that has been written into the clients system, to
trap items as they are processed for further testing at a later date.

(ii) Test data

Test data is auditor generated data that is used primarily for testing
controls. The auditor will test access controls over the system by
attempting to gain unauthorised entry into it, or by attempting to
process invalid data. For example, unauthorised passwords,
employee names or numbers may be used in an attempt to gain
entry. Incomplete transactions, transactions with incorrect coding,
transactions outside programmed parameters, and transactions
with non-existent customers or suppliers all of these may be
used in testing to ensure that the system properly rejects invalid
transactions.
Test data carries with it the inherent risk of corruption of client data.
Integrated test facilities, which give the auditor his own section
of the general ledger avoid this, and permit the testing of longerterm controls. For example, the auditor may post a sales invoice to
the A. Auditor account on the sales ledger. He would hope that
in a few weeks or months time, the invoice would show in the
clients system as an overdue debtor.
(e) Practice considerations
The costs of investing in PCs, the associated software,
refurbishment, training and maintenance must be balanced against
the benefits of a more streamlined and efficient audit practice.
Please contact me if you have any further queries.

Conclusion
Auditing in a CIS environment is a wide area, but it is examined at a fairly basic level.
Familiarise yourself with the terminology and your paper 5 studies will also benefit.
The next and last article in this series will deal with the verification of balance sheet items.

http://www.accaglobal.com/archive/sa_oldarticles/49859