COMPUTERISED

INFORMATION SYSTEM
(CIS)
NAME

IC

MATRIC CARD

ANIS FARHANA BINTI MOHD FANSURI

940825-07-5526

A13HA0006

ROMALINA SYAFIQA BINTI ROSLI

940124-11-5302

A13HA0150

NURUL HISYAFIKA BINTI OTHMAN

940117-03-6024

A13HA0135

FELISHA JONAH A/P B. RAJANDRA PRAKASH

920315-01-5824

A14HA0025

NORKHAZMAWANI BT. MIN

910611-11-5062

A13HA0097

ADILAH BINTI BUANG

940108-08-5908

A13HA0001

NURUL SHAHIRA BINTI BAHARUDIN

941123-01-5902

A13HA0141

AUDIT OBJECTIVE AND SCOPE OF WORK IN

COMPUTERIZED ENVIRONMENT
Audit objective the audit objective will not change, as the auditor must
obtain sufficient appropriate audit evidence to
draw reasonable conclusions on which to base the audit opinion.

(Auditing in a computer environment , CPA, July 2015)

The overall objective and scope of an audit does not change in a CIS environment.
Accordingly, a CIS environment may affect:
a. the procedures followed by the auditors in obtaining a sufficient understanding of the
accounting and internal control systems;
b. the consideration of inherent risk and control risk through which the auditors arrive at
the risk assessment; and
c. the auditors' design and performance of tests of control and substantive procedures
appropriate to meet the audit objective.

Statement Of Auditing Standards 310 Auditing in a Computer Information System Environment (Issued January 1997; revised January 2004

INTERNAL
CONTROL REDUCE
IT RISK

General
control
Administration of
the IT function
Separation of IT
duties
System
development
Physical and online
security
Backup and
contingency
planning
Hardware control

Internal
control
reduce IT
risks

Application
control

Input Controls
Processing
Controls
Output Controls

Administration
board of directors and senior
ofThe
IT function
management s attitude about IT
effect the perceived importance of
IT with an organization.
IT steering committee to help
monitor the organization IT needs

Separation of
IT
duties
Segregation
of duties (well
controlled organization respond by
separating keys duties with IT)
i. IT management ii. System
development
iii. Operation
iv. Data control

System

Purchasing software or developing

development
in house software that meet the
organization need.
Testing all software to make sure
the new software is compatible with
existing hardware & software and
determine the ability of software to
handle the transaction.
i. Pilot testing : testing at one
department by one department
ii. Parallel testing : the old & new
system work simultaneously in all
location.

Physical and online

security
Physical control over computer and restriction t online
software and related data file decrease the risk of
unauthorized change to program and improper use of
program and data files.
i.
Physical control : security camera, badge-entry
system, keypad entrance, security personnel
ii. Online access control : proper user IDs, password
control access

Backup and
contingency planning
Battery backup or on-site generator
Off-site storage of critical software and data file or out
sourcing to firm that specialized in secure data storage.

Hardware
control
Build into computer equipment by
manufacturer to detect and report
equipment failure

N
O
I
T
A
C
I
AP P L
S
L
O
R
T
N
CO

APPICATION CONTROLS

INPUT CONTROLS
PROCESSING CONTROLS
OUTPUT CONTROLS

APPLICATION CONTROL
Application controls are those controls that pertain to
the scope of individual processes or application systems
Design for each software application to satisfy the six
transaction-related audit objectives.(existence, completeness,
accuracy, classification, timing and posting & summarization)

They include data edits, separation of business functions,

balancing of processing totals, transaction logging, and
error reporting

MANUAL
CONTROLS
AUTOMATED
CONTROLS

Done by client
personnel
Effectiveness
depends on
competency of
person.
Done by computers
Lead to consistent
operation control

INPUT CONTROLS
TO ENSURE THE INFORMATION ENTERED
INTO A COMPUTER IS AUTHORIZED,
ACCURATE AND COMPLETE.

BATCH INPUT CONTROLS

RECORD
TOTAL

FINANCIAL
TOTAL
HASH
TOTAL

PROCESSING CONTROLS
TO PREVENT ,DETECT AND CORRECT
PROCESSING ERRORS WHILE
TRANSACTION DATA ARE
PROCESSED.

COMPLETENESS
TEST

VALIDATION TEST
TYPE OF
PROCESSIN
G
CONTROLS

DATA
REASONABLENESS
TEST

SEQUENCE TEST

ARITHMETIC
ACCURACY TEST

OUTPUT CONTROLS
Focus on detecting errors after processing is
completed
Example of controls :
- reconcile computer-produced output to

manual control total

- Compare a sample of transaction output
to input
source document
- Verify dates and time of processing to
identify
any out- of - sequence processing

AUDITOR EVALUATION ON
INTERNAL CONTROL SYSTEM
Internal control

Vital to make our business more smoothly , efficiently and

effectively be done

Aims

To protect business asset

More to prevention rather than detection

The well designed internal control system includes:

Control

environment, risk assessment and test of the

control activities

ASSESSING RISK OF
INFORMATION SYSTEM
RISK TO HADWARE AND DATA

REDUCED AUDIT TRAIL

NEED FOR EXPERIENCE AND SEPARATION OF

DUTIES

RISK TO HADWARE AND DATA

Reliance on the functioning
capabilities of hardware and
software
Systematic versus random error

Unauthorized access

Loss of data

REDUCED AUDIT TRAIL

AUDIT TRAIL :
System that traces the detailed
transaction relating to any item
in accounting record
Visibility of Audit trail

Reduced human involvement

Lack of traditional authorization

NEED FOR EXPERIENCE AND

SEPARATION OF DUTIES

Reduced separation of duties

Need for IT experience

AUDITING AROUND
AND THROUGH
THE COMPUTER

AUDITING AROUND THE COMPUTER

Audit

around the computer means that processing done by the

computer system needs not to be audited as auditor expects that
sufficient appropriate audit evidence can be obtained by reconciling
inputs with outputs.

Most often this approach is used either because:

a)

Processing done by the computer is too simple e.g.

Casting, sorting etc

b) Auditor is already aware of the softwares reliability. This is

the case with most of off-the-shelf software used by client

without any in-house alteration and thus need not to be
checked.

c) Auditor has no mean to gain understanding of the computer

system and thus resorts with this approach

Auditor will bypass computer system and will not check for
existence and/or operating effectiveness of controls in processing
data therefore auditor may use any one or combination of the
following methods:
1. Output oriented method
2. Input oriented method

INPUT ORIENTED METHOD

Sample select source documents (input) that are fed in to

the computer system for processing and auditor

independently processes the inputs using his own
computer system or software and then compare the
outputs generated by auditors computer system with
the output generated by the clients computer system to
confirm accuracy, completeness and other assertions.

Auditors

processing may be manually done without

getting any assistance of the computer.

For

example clients system reports that cash book

balance reconciles with bank balance as per bank
statement. Auditor may conduct his own reconciliation to
confirm whether it is true.

OUTPUT ORIENTED METHOD

Sample select the information generated by the
computer system (output) and compare it with auditors
ideal system or information gathered from other sources
or evidence collected by the auditor by the application of
other audit procedures.

For example comparing receivables balances with the

statement of accounts received from customers or
comparing stock records with reports of inventory counts

AUDITING THROUGH THE

COMPUTER
Various steps taken by auditors to evaluate clients
software and hardware to determine the reliabilities of
operation

Auditor use 3 categories of testing approaches as follow

Test Data Approach

Parallel Simulation
Embedded Audit Module Approach

TEST DATA APPROACH

Auditor process their own test data using the clients
computer system and application program to determine
whether the automated controls correctly process the
test data.

Considerations:

Test should include all relevant conditions that auditor

wants to test.
Application programs tested by auditors test data must be
the same as those the client used.
The test data MUST be eliminates from clients records.

PARALLEL SIMULATION
Auditor are using auditor controlled software to do the
same operation that the clients software does, using the
same data files. (Exp: Generalized Audit Software (GAS))

GAS used to test automated controls.

Gas used to varify client account balances.

EMBEDDED AUDIT MODULE

APPROACH
Embedded audit modules are sections of application
program code that collect transaction data for the
auditor.

Auditors insert an audit module in the clients application

system to identify specific types of transaction.

Example: All transactions affecting a specific account that

are in excess of RM500 000 are automatically selected.

COMPUTER ASSISTED AUDIT

TECHNIQUES
(CAATS)

Audit software

Packaged programs
Purpose written
programs
Enquiry programs

Test data

Audit test
data
Integrated
test facilities

Other techniques

Embedded audit
facilities (EAFs)
Application
program
examination

CAATs

Caats

are computer programs and data that

the auditor uses as part of the audit procedures
to process data of audit significance contained
in a client computer information system (CIS)

AUDIT SOFTWARE
Audit software is a general term used to parsing
computer programs designed to carry out tests
of control and/or substantive procedures. Such
programs may be classified as:

 1. Packaged programs

The program are not client specific because it

will apply at all client that audit engage. These

program also consist of pre-prepared generalised
programs used by auditors. They may be used to
carry out numerous audit tasks, for example, to
select a sample in supplier lists.

2. Purpose written programs

These programs are function as tests of control or

substantive procedures and usually for client

specific.
Client can buy or developed audit software, but in
order to develop or buy the software, there have the
things that should consider; they need to ensure
that specified programs are appropriate for a
clients system and the needs of the audit.
Typically, they may be used to re-perform
computerised control procedures (for example, cost
of sales calculations) or perhaps to carry out an
aged analysis of trade receivable (debtor) balances.

 3. Enquiry programs

These programs are normally focusing to the

clients accounting system; however this program

may be adapted for audit purpose as well.
For example, where a system provides for the
routine reporting on a monthly basis of
production of output such as finish goods, work in
process and the defect item, this facility may be
utilised by the auditor when auditing the
inventories records in the clients financial
statements.

TEST DATA
1. Audit test data
An application program used by an audit client normally will be

test by audit test data for the auditor know whether the
application used by the client are exist and effective to be
used.
The results of processing are then compared to the auditors
result. The comparison been made is to determine whether
controls are operating efficiently and systems objectiveness
are being achieved.
For example, when received of goods from the supplier, only
transactions invoice with the mark accepted will be processed
by the system. Clearly, if transactions processed do not
produce the expected results in output, the auditor will need to
consider the need for increased substantive procedures in the
area being reviewed.

 2. Integrated test facilities

To avoid the risk of corrupting a clients account system,

by processing test data with the clients other live data

such as third party, auditors may instigate special test
data only processing runs for audit test data.
Through this method the auditor does not have total
assurance that the test data is being processed in a
similar fashion to the clients live data. The auditor needs
approval from client to establish an integrated test
facility within the accounting system.
This entails the establishment of a dummy unit, for
example, a dummy supplier account against which the
auditors test data is processed during normal processing
runs.

OTHER TECHNIQUES
1. Embedded audit facilities (EAFs)

In order to auditor embedded to the clients application

software, through this technique requires the auditors own
program code, such that verification procedures can be
carried out as required on data being processed.
For example, tests of control may include the
reperformance of specific input validation checks choose
transactions may be tagged and followed through the
system and check whether the transaction have been
applied the controls and processes by the computer system.
Through the EAFs, the results of testing should record in a
special secure file for subsequent review by the auditor.

 2. Application program examination

When

determining the extent to which they may rely

on application controls, auditors need to consider the
extent to which specified controls have been
implemented correctly. For example, where system
amendments have occurred during an accounting
period, the auditor would need assurance as to the
existence of necessary controls both before and after
the amendment.