Professional Documents
Culture Documents
INFORMATION SYSTEM
(CIS)
NAME
IC
MATRIC CARD
940825-07-5526
A13HA0006
940124-11-5302
A13HA0150
940117-03-6024
A13HA0135
920315-01-5824
A14HA0025
910611-11-5062
A13HA0097
940108-08-5908
A13HA0001
941123-01-5902
A13HA0141
The overall objective and scope of an audit does not change in a CIS environment.
Accordingly, a CIS environment may affect:
a. the procedures followed by the auditors in obtaining a sufficient understanding of the
accounting and internal control systems;
b. the consideration of inherent risk and control risk through which the auditors arrive at
the risk assessment; and
c. the auditors' design and performance of tests of control and substantive procedures
appropriate to meet the audit objective.
Statement Of Auditing Standards 310 Auditing in a Computer Information System Environment (Issued January 1997; revised January 2004
INTERNAL
CONTROL REDUCE
IT RISK
General
control
Administration of
the IT function
Separation of IT
duties
System
development
Physical and online
security
Backup and
contingency
planning
Hardware control
Internal
control
reduce IT
risks
Application
control
Input Controls
Processing
Controls
Output Controls
Administration
board of directors and senior
ofThe
IT function
management s attitude about IT
effect the perceived importance of
IT with an organization.
IT steering committee to help
monitor the organization IT needs
Separation of
IT
duties
Segregation
of duties (well
controlled organization respond by
separating keys duties with IT)
i. IT management ii. System
development
iii. Operation
iv. Data control
System
Backup and
contingency planning
Battery backup or on-site generator
Off-site storage of critical software and data file or out
sourcing to firm that specialized in secure data storage.
Hardware
control
Build into computer equipment by
manufacturer to detect and report
equipment failure
N
O
I
T
A
C
I
AP P L
S
L
O
R
T
N
CO
APPICATION CONTROLS
INPUT CONTROLS
PROCESSING CONTROLS
OUTPUT CONTROLS
APPLICATION CONTROL
Application controls are those controls that pertain to
the scope of individual processes or application systems
Design for each software application to satisfy the six
transaction-related audit objectives.(existence, completeness,
accuracy, classification, timing and posting & summarization)
MANUAL
CONTROLS
AUTOMATED
CONTROLS
Done by client
personnel
Effectiveness
depends on
competency of
person.
Done by computers
Lead to consistent
operation control
INPUT CONTROLS
TO ENSURE THE INFORMATION ENTERED
INTO A COMPUTER IS AUTHORIZED,
ACCURATE AND COMPLETE.
RECORD
TOTAL
FINANCIAL
TOTAL
HASH
TOTAL
PROCESSING CONTROLS
TO PREVENT ,DETECT AND CORRECT
PROCESSING ERRORS WHILE
TRANSACTION DATA ARE
PROCESSED.
COMPLETENESS
TEST
VALIDATION TEST
TYPE OF
PROCESSIN
G
CONTROLS
DATA
REASONABLENESS
TEST
SEQUENCE TEST
ARITHMETIC
ACCURACY TEST
OUTPUT CONTROLS
Focus on detecting errors after processing is
completed
Example of controls :
- reconcile computer-produced output to
AUDITOR EVALUATION ON
INTERNAL CONTROL SYSTEM
Internal control
Aims
ASSESSING RISK OF
INFORMATION SYSTEM
RISK TO HADWARE AND DATA
Unauthorized access
Loss of data
AUDITING AROUND
AND THROUGH
THE COMPUTER
a)
Auditor will bypass computer system and will not check for
existence and/or operating effectiveness of controls in processing
data therefore auditor may use any one or combination of the
following methods:
1. Output oriented method
2. Input oriented method
Auditors
For
Considerations:
wants to test.
Application programs tested by auditors test data must be
the same as those the client used.
The test data MUST be eliminates from clients records.
PARALLEL SIMULATION
Auditor are using auditor controlled software to do the
same operation that the clients software does, using the
same data files. (Exp: Generalized Audit Software (GAS))
Audit software
Packaged programs
Purpose written
programs
Enquiry programs
Test data
Audit test
data
Integrated
test facilities
Other techniques
Embedded audit
facilities (EAFs)
Application
program
examination
CAATs
Caats
AUDIT SOFTWARE
Audit software is a general term used to parsing
computer programs designed to carry out tests
of control and/or substantive procedures. Such
programs may be classified as:
1. Packaged programs
3. Enquiry programs
TEST DATA
1. Audit test data
An application program used by an audit client normally will be
test by audit test data for the auditor know whether the
application used by the client are exist and effective to be
used.
The results of processing are then compared to the auditors
result. The comparison been made is to determine whether
controls are operating efficiently and systems objectiveness
are being achieved.
For example, when received of goods from the supplier, only
transactions invoice with the mark accepted will be processed
by the system. Clearly, if transactions processed do not
produce the expected results in output, the auditor will need to
consider the need for increased substantive procedures in the
area being reviewed.
OTHER TECHNIQUES
1. Embedded audit facilities (EAFs)