CHAPTER 22:

AUDITING
IN A COMPUTER
INFORMATION
SYSTEMS(CIS)
ENVIRONMENT
EFFECTS OF COMPUTERS
ON THE AUDIT PROCESS
 The procedures followed by the auditor in
obtaining a sufficient understanding of the
accounting and internal control systems.
 The consideration of inherent risk and control risk
through which the auditor arrives at the risk
assessment.
 The auditors design and performance of test of
control and substantive procedures appropriate to
meet the audit objective.
 Obtain a sufficient understanding of the
accounting and internal control system affected by
the CIS environment.
 Determine the effect of the CIS environment on the
assessment of overall risk and of risk at the
account balance and class of transactions level.
 Design and perform appropriate test of control and
substantive procedures.
PLANNING
In accordance with PSA 315(Redrafted)”Identifying and
Assessing the Risks of Material Misstatement Through
Understanding the Entity and its Environment,” the
auditor should obtain an understanding of the
accounting and internal control systems sufficient to
plan the audit and develop an effective audit approach.
The nature of the risks and the internal control
characteristics in CIS environment include the
following :
 Lack of transaction trails.

 Uniform processing of transactions.

 Lack of segregation of functions.

 Potential errors and irregularities

ASSESSMENT OF RISK
The inherent risks and control risks in a CIS environment
may have both a pervasive effect and an account-specific
effect on the likelihood of material misstatement, as
follows:
 The risks may result from deficiencies in pervasive CIS
activities, such as program development and maintenance,
system software support, operations, physical CIS security, and
control over access networks, operating systems, programs and
databases.
 The risks may increase the potential for errors or fraudulent
activities in specific applications, in specific data bases or
master files, or in specific applications.
 AUDIT CLIENTS USING COMPUTER
INFORMATION SYSTEMS(CIS)
The audit procedures applicable to evaluating
the internal controls in CIS systems are:
A. Review of the system- the auditor must be
capable of understanding the entire system
to evaluate the client’s internal control.

B. Compliance Testing of CIS controls-the

auditor attempts to gather evidence to
provide reasonable assurance that the
prescribed controls are functioning properly.
a. auditing around the computer
b. auditing through the computer
C. Substantive testing of computer-based
records

1. Substantive testing without using the computer

2. Substantive testing with the use of a computer

A. Auditor written programs

B. Audited programs
C. Utility programs
D. Generalized computer audit programs
 AUDIT TECHNIQUES USING
COMPUTERS
 Audit Software-the auditor may use various type of software on
either microcomputers or mainframe computer.
 Test Data-A set of dummy transaction is developed by the auditor
and processed by the clients computer programs to determine
whether the controls which the auditors intends to rely on are
functioning as expected.
 Concurrent Audit Techniques-these techniques collect evidence as
transactions are processed, immediately reporting information
requested by the auditor or storing for later access.
Three Concurrent Techniques
 Integrated Test Facility

 Snapshots

 System Control Audit Review File

 Parallel Simulation-this method processes
actual client data through an auditors software
program.
 Code comparison-in the performance of code
comparison, an auditor examines two versions
of a program to determine whether they are
identical.
 Audit Workstation-more internal audit
departments and a few external auditing firms
are ending their dependence on audit software
programs run on a maintenance by using an
audit workstation.
 7 STEPS USE OF AUDIT
WORKSTATION
1. Determine data needed
2. Write extract routine
3. Run extract routine
4. Download extracted file
5. Perform analysis
6. Prepare report
7. Work papers
 MICROCOMPUTER-
BASED SYSTEM
A number of auditors use commercially available
software, often referred to as data manager to
download client data to the auditors
microcomputer.
 USING THE MICROCOMPUTER IN
ADMINISTRATOR OF AN AUDIT
 The availability of powerful, low-cost
microcomputers and software are cost
effective tools that many auditors have
found helpful in administering and
performing an audit.
 1. Preparing working papers
2. Executing audit procedures
3. Research
4. Engagement management, and
5. Time Budgeting
 SPECIALIZED AUDIT PROGRAMS
AND ADDITIONAL TECHNIQUES
Specialized audit programs may be
develop to perform specific audit tasks.

Tagging and Tracing Transactions

This process involves tagging or
specifically marking or highlighting certain
transaction by the auditor at the time of
their input.
ELECTRONIC COMMERCE-EFFECT ON
THE AUDIT OF FINANCIAL
STATEMENTS (PAPS1013)

The purpose of PAPS 1013 is to provide

guidance to assist auditors of financial
statements where an entity engages in
commercial activity that takes place by means
of connected computers over a public network,
such as the internet(e-commerce).
 SKILLS AND KNOWLEDGE

The level of skill and knowledge required to

understand the effect of e-commerce on the
audit will vary with the complexity of the entity’s
e-commerce activities.
 KNOWLEDGE OF THE
BUSINESS

PSA 315(redrafted) requires that the auditors

obtain a knowledge of the business sufficient to
enable the auditor to identify and understand
the event, transactions and practices that may
have significant effect on the financial
statements or on the audit report.
 In obtaining or updating knowledge of the
entity’s business, the auditor considers so far
as they affect the financial statements :
 The entity’s business activities and industry

 The entity’s e-commerce strategy

 The extent of the entity’s e commerce activities

 The entity’s outsourcing arrangements

 RISK IDENTIFICATION
Management faces many business risks relating to
the entity’s e-commerce activities.
Loss of transaction integrity
Pervasive e-commerce security risks
Improper accounting policies
Noncompliance with taxation and other legal and
regulatory requirements
Failure to ensure that contracts evidenced only by
electronic means binding
Overreliance on e commerce
Systems and infrastructure failure or “crashes”
 LEGAL AND REGULATORY
ISSUES
A comprehensive international legal
framework for e-commerce and an
efficient infrastructure to support such a
framework does not exist.

PSA 250 (Redrafted)”Considerations of Laws and Regulations

in an Audit of Financial Statements” requires that when
planning and performing audit procedures and in evaluating
and reporting the results thereof, the auditor recognize that
noncompliance by the entity with laws and regulations may
materially affect the financial statement.
 INTERNAL CONTROL
CONSIDERATIONS
It can be used to mitigate many of risk
associated with e-commerce activities. The
auditor considers the control environment
and control procedures the entity has
applied to its e-commerce activities to the
extent they are relevant to the financial
statement assertions.
SECURITY

The entity’s security infrastructure and related

controls are a particularly important feature of
its internal control system when external parties
are able to access the entity’s information
system using a public network such as the
internet.
Transaction Integrity

The auditor considers the completeness,

accuracy, timeless and authorization of
information provided for recording and
processing in the entity’s financial records.
PROCESS ALIGNMENT

Process Alignment refers to the way various IT

system are integrated with one another and thus
operate, in effect, as one system.
THE EFFECT OF ELECTRONIC RECORDS ON
AUDIT EVIDENCE

 There may not be any paper records for e-commerce

transactions, and electronic records may be easily destroyed or
altered than paper records without leaving evidence of such
destruction or alteration. The auditor considers whether the
entity’s security of information policies, and controls as
implemented, are adequate to prevent unauthorized changes
to the accounting system or records, or to systems that provide
data t the accounting system.