PROJECT IN

CIS AUDIT
A Research about Audit Objectives,
Procedures and Program for Computerbased Accounting System

Submitted by:
Clarice I. Guintibano

Submitted to:
Dr. William Baltazar, CPA
July 18, 2016

Audit Objectives, Procedures and Program for Computer-Based

Accounting System

TABLE OF CONTENTS
INTRODUCTION..........3
GENERAL
PRINCIPLES..4-7
AUDITING OF COMBUTER-BASED ACCOUNTING SYSTEM:
AUDIT
OBJECTIVES.
...8-10
AUDIT
PROCEDURES..
.11-18
AUDIT
PROGRAMS..
..19-21
EXAMPLE OF AN AUDIT PROGRAM........22

2 | Page

Audit Objectives, Procedures and Program for Computer-Based

Accounting System

INTRODUCTION
Students need to ensure they have a complete understanding of the controls in a
computer-based environment, how this impact on the auditors assessment of risk, and
the subsequent audit procedures. These procedures will often involve the use of
computer-assisted audit techniques (CAATs).
Information technology (IT) is integral to modern accounting and management
information systems. It is, therefore, imperative that auditors should be fully aware of the
impact of IT on the audit of a clients financial statements, both in the context of how it is
used by a client to gather, process and report financial information in its financial
statements, and how the auditor can use IT in the process of auditing the financial
statements.
The purpose of this research is to provide guidance on following aspects of auditing in a
computer-based accounting environment:
Application controls, comprising input, processing, output and master file control
established by an audit client, over its computer-based accounting system and
Computer-assisted audit techniques (CAATs) that may be employed by auditors to test
and conclude on the integrity of a clients computer-based accounting system.

3 | Page

Audit Objectives, Procedures and Program for Computer-Based

Accounting System

GENERAL PRINCIPLES
Relevant auditing standards
References will be made throughout this research to the most recent guidance in
standards:

ISA 300 (Redrafted) Planning an Audit of Financial Statements

ISA 315 (Redrafted) Identifying and Assessing the Risks of Material Misstatement
Through Understanding the Entity and Its Environment
ISA 330 (Redrafted) The Auditors Responses to Assessed Risks.

Internal controls in a computer environment

The two main categories are application controls and general controls.

Application controls
These are manual or automated procedures that typically operate at a business process
level and apply to the processing of transactions by individual applications. Application
controls can be preventative or detective in nature and are designed to ensure the
integrity of the accounting records.
Accordingly, application controls relate to procedures used to initiate, record, process
and report transactions or other financial data. These controls help ensure that
transactions occurred, are authorised and are completely and accurately recorded and
processed (ISA 315 (Redrafted).
Application controls apply to data processing tasks such as sales, purchases and
wages procedures and are normally divided into the following categories:
(i) Input controls
Examples include batch control totals and document counts, as well as manual
scrutiny of documents to ensure they have been authorised. An example of the
operation of batch controls using accounting software would be the checking of a
manually produced figure for the total gross value of purchase invoices against
that produced on screen when the batch-processing option is used to input the
invoices. This total could also be printed out to confirm the totals agree.

4 | Page

Audit Objectives, Procedures and Program for Computer-Based

Accounting System

The most common example of programmed controls over the accuracy and
completeness of input are edit (data validation) checks when the software checks
that data fields included on transactions by performing:

reasonableness check, eg net wage to gross wage

existence check, eg that a supplier account exists
character check, eg that there are no alphabetical characters in a
sales invoice number field
range check, eg no employees weekly wage is more than $2,000
check digit, eg an extra character added to the account reference
field on a purchase invoice to detect mistakes such as transposition
errors during input.

When data is input via a keyboard, the software will often display a screen
message if any of the above checks reveal an anomaly, eg Supplier account
number does not exist.
(ii) Processing controls
An example of a programmed control over processing is a run-to-run control. The
totals from one processing run, plus the input totals from the second processing,
should equal the result from the second processing run. For instance, the
beginning balances on the receivables ledger plus the sales invoices (processing
run 1) less the cheques received (processing run 2) should equal the closing
balances on the receivable ledger.
(iii) Output controls
Batch processing matches input to output, and is therefore also a control over
processing and output. Other examples of output controls include the controlled
resubmission of rejected transactions, or the review of exception reports (eg the
wages exception report showing employees being paid more than $1,000).
(iv) Master files and standing data controls
Examples include one-for-one checking of changes to master files, eg customer
price changes are checked to an authorised list. A regular printout of master files
such as the wages master file could be forwarded monthly to the personnel
department to ensure employees listed have personnel records.

General controls

5 | Page

Audit Objectives, Procedures and Program for Computer-Based

Accounting System

These are policies and procedures that relate to many applications and support the
effective functioning of application controls. They apply to mainframe, mini-frame and
end-user environments. General IT controls that maintain the integrity of information
and security of data commonly include controls over the following:

data centre and network operations

system software acquisition, change and maintenance
program change
access security
application system acquisition, development, and maintenance (ISA 315
(Redrafted))

End-user environment refers to the situation in which the users of the computer
systems are involved in all stages of the development of the system.
(i) Administrative controls
Controls over data centre and network operations and access security
include those that:

prevent or detect errors during program execution, eg procedure

manuals, job scheduling, training and supervision; all these prevent
errors such as using wrong data files or wrong versions of production
programs
prevent unauthorised amendments to data files, eg authorisation of
jobs prior to processing, back up and physical protection of files and
access controls such as passwords
ensure the continuity of operations, eg testing of back - up
procedures, protection against fire and floods.

(ii) System development controls

The other general controls referred to in ISA 315 cover the areas of system
software acquisition development and maintenance; program change; and
application system acquisition, development and maintenance.
System software refers to the operating system, database management
systems and other software that increases the efficiency of processing.
Application software refers to particular applications such as sales or wages.
The controls over the development and maintenance of both types of
software are similar and include:

6 | Page

Audit Objectives, Procedures and Program for Computer-Based

Accounting System

Controls over application development, such as good standards over the

system design and program writing, good documentation, testing procedures
(eg use of test data to identify program code errors, pilot running and parallel
running of old and new systems), as well as segregation of duties so that
operators are not involved in program development
Controls over program changes to ensure no unauthorised amendments
and that changes are adequately tested, eg password protection of
programs, comparison of production programs to controlled copies and
approval of changes by users
Controls over installation and maintenance of system software many of the
controls mentioned above are relevant, eg authorisation of changes, good
documentation, access controls and segregation of duties.

7 | Page

Audit Objectives, Procedures and Program for Computer-Based

Accounting System

AUDIT
OBJECTIVE
S
8 | Page

Audit Objectives, Procedures and Program for Computer-Based

Accounting System

AUDIT OBJECTIVES
Most often, IT audit objectives concentrate on substantiating that the internal controls
exist and are functioning as expected to minimize business risk.
The objectives of IT audits include:

Assuring compliance with legal and regulatory requirements, as well as the

confidentiality, integrity, and availability of information systems and data.
Evaluating the reliability of data from IT systems which have an impact on the
financial statements of the organizations.
Ascertaining the level of compliance with the applicable laws, policies and
standards in relation to IT.
Checking if there are instances of excess, extravagance, gross inefficiency
tantamount to waste in the use and management of IT systems.
When performing an IS audit, auditors should ascertain that the following
objectives are met:
Security provisions protect computer equipment, programs,
communications, and data from unauthorized access, modification, or
destruction.
Program development and acquisition is performed in accordance with
managements general and specific authorization.
Program modifications have the authorization and approval of
management.
Processing of transactions, files, reports, and other computer records
is accurate and complete.
9 | Page

Audit Objectives, Procedures and Program for Computer-Based

Accounting System

Source data that are inaccurate or improperly authorized are identified

and handled according to prescribed managerial policies.
Computer data files are accurate, complete, and confidential.

Audit Objectives for assessing controls in the PC environment include the

following:

Verify that controls are in place to protect data, programs, and computers from
unauthorized access, manipulation, destruction, and theft.
Verify that adequate supervision and operating procedures exist to compensate
for lack of segregation between the duties of users, programmers, and operators.
Verify that backup procedures are in place to prevent data and program loss due
to system failures, errors and so on.
Verify that systems selection and acquisition procedures produce applications
that are high quality, and protected from unauthorized changes.
Verify that the system is free from viruses and adequately protected to minimize
the risk of becoming infected with a virus or similar object.

The auditors objectives is to ensure that the established system audit trail is adequate
for preventing and defecting abuses, reconstructing key events that precede systems
failures, and planning resource allocation.
Audit Objectives Relating to Passwords
The auditors objective here is to ensure that the organization has an adequate and
effective password policy for controlling access to the operating systems

10 | P a g e

Audit Objectives, Procedures and Program for Computer-Based

Accounting System

11 | P a g e

Audit Objectives, Procedures and Program for Computer-Based

Accounting System

AUDIT
PROCEDUR
ES

AUDIT PROCEDURES
Audit Procedures Associated with PC Security
12 | P a g e

Audit Objectives, Procedures and Program for Computer-Based

Accounting System

The auditor should observe that PCs are physically anchored to reduce the
opportunity of theft.
The auditor should verify from organizational charts, job descriptions, and
observation that programmers of accounting systems do not also operate those
systems. In smaller organizational units where functional segregation is
impractical, the auditor should verify that there is adequate supervision over
these tasks.
The auditor should confirm that reports of processed transactions, listings of
updated accounts, and control totals are prepared, distributed, and reconciled by
appropriate management at regular and timely intervals.
Where appropriate, the auditor should determine that multilevel password control
is used to limit access to data and application and that the access authority
granted is consistent with the employees job descriptions.
If removable or external hard drives are used, the auditor should verify that the
drives are removed and stored in a secure location when not in use.
By selecting a sample of backup files, the auditor can verify that backup
procedures are being followed. By comparing data values and dates on the
backup disks to production files, the auditor can assess the frequency and
adequacy of backup procedures. If an online backup service is used, the auditor
should verify that the contract is current and adequate to meet the organization
needs.
By selecting a sample of PCs, the auditor should verify that their commercial
software packages were purchased from reputable vendors and are legal copies.
The auditor should review the selection and acquisition procedures to ensure that
end-user needs were fully considered and that the purchased software satisfies
those needs.
The auditor should review the organizations policy for using antiviral software.
This policy may include the following points:
1. Antiviral software should be installed on all microcomputers and invoked
as part of the startup procedure when the computers are turned on. This
will ensure that all key sectors of the hard disk are examined before any
data are transferred through the network.
2. All upgrades to vendor software should be checked for viruses before
they implemented.
3. All public-domain software should be examined for virus infection before
it is used.

13 | P a g e

Audit Objectives, Procedures and Program for Computer-Based

Accounting System

4. Current versions of antiviral software should be available to all users.

Verify that the most current virus data files are being downloaded
regularly, and that the antivirus program is indeed running in the PCs
background continuously, and thus able to scan all incoming documents.
Corporate versions generally include a push update where the software
automatically checks the home Web site of the antivirus vendor for new
updates each time it is connected to the Internet and the PC is booted.

Audit Procedures Relating to Passwords

Verify that all users are required to have passwords.

Verify that new users are instructed in the use of passwords and the importance
of password control.
Review password control procedures to ensure that passwords are changed
regularly.
Review the password control procedures to ensure that passwords are identified
and disallowed. This may involve using software to scan password files for
known weak passwords.
Verify that the password file is encrypted and that the encryption key is properly
secured.
Assess the adequacy of password standards such as length and expiration
interval.
Review the account lockout policy and procedures. Most operating systems allow
the system administrator to define the action to be taken after a certain number
of failed log-on attempts. The auditor should determine how many failed log-on
attempts are allowed before the account is locked` The duration of the lockout
also needs to be determined. This could range from a few minutes to a
permanent lockout that requires formal reactivation of the account.

Audit Procedures Relating to System Audit Trails

Most operating systems provide some form of audit manager function to specify
the events that are to be audited. The auditor should verify that the audit trail has
been activated according to organization policy.
Many operating systems provide an audit log viewer that allows the auditor to
scan the log for unsusual activity. These can be reviewed on screen or by
archiving the file for subsequent review. The auditor can use general-purpose
data extraction tools for accessing archived log files to search for defined
conditions such as:
Unauthorized or terminated user
14 | P a g e

Audit Objectives, Procedures and Program for Computer-Based

Accounting System

Periods of inactivity
Activity by user, workgroup, or department
Log-on and log-off times
Failed log-on attempts
Access to specific files or applications
The organizations security group has responsibility for monitoring and reporting
security violations. The auditor should select a sample of security violation cases and
evaluate their disposition to assess the effectiveness of the security group.

COMPUTER-ASSISTED AUDIT TECHNIQUES

Computer-assisted audit techniques (CAATs) are those featuring the application of
auditing procedures using the computer as an audit. CAATs are normally placed in three
main categories:
(i) Audit software
Computer programs used by the auditor to interrogate a clients computer files; used
mainly for substantive testing. They can be further categorised into:
Package programs (generalized audit software) pre-prepared programs for which the
auditor will specify detailed requirements; written to be used on different types of
computer systems
Purpose-written programs perform specific functions of the auditors choosing; the
auditor may have no option but to have this software developed, since package
programs cannot be adapted to the clients system (however, this can be costly)
Enquiry programs those that are part of the clients system, often used to sort and
print data, and which can be adapted for audit purposes, eg accounting software may
have search facilities on some modules, that could be used for audit purposes to search
for all customers with credit balances (on the customers module) or all inventory items
exceeding a specified value (on the inventory module).
Using audit software, the auditor can scrutinise large volumes of data and present
results that can then be investigated further. The software consists of program logic
needed to perform most of the functions required by the auditor, such as:

select a sample
report exceptional items
compare files
analyse, summarise and stratify data.

15 | P a g e

Audit Objectives, Procedures and Program for Computer-Based

Accounting System

The auditor needs to determine which of these functions they wish to use, and the
selection criteria.
EXAMPLE (AUDIT PROCEDURE FOR WAGES)
The following is an example of how this could be applied to the audit of wages:

Select a random sample of employees from the payroll master file; the auditor
could then trace the sample back to contracts of employment in the HR
department to confirm existence
Report all employees earning more than $1,000 per week
Compare the wages master file at the start and end of the year to identify starters
and leavers during the year; the auditor would then trace the items identified
back to evidence, such as starters and leavers forms (in the HR department) to
ensure they were valid employees and had been added or deleted from the
payroll at the appropriate time (the auditor would need to request that the client
retain a copy of the master file at the start of the year to perform this test)
Check that the total of gross wages minus deductions equates to net pay.

(ii) Test data

Test data consists of data submitted by the auditor for processing by the clients
computer system. The principle objective is to test the operation of application controls.
For this reason, the auditor will arrange for dummy data to be processed that includes
many error conditions, to ensure that the clients application controls can identify
particular problems.
Examples of errors that might be included:

supplier account codes that do not exist

employees earning in excess of a certain limit
sales invoices that contain addition errors
submitting data with incorrect batch control totals.

Data without errors will also be included to ensure correct transactions are processed
properly.
Test data can be used live, ie during the clients normal production run. The obvious
disadvantage with this choice is the danger of corrupting the clients master files. To
avoid this, an integrated test facility will be used (see other techniques below). The
alternative (dead test data) is to perform a special run outside normal processing, using
copies of the clients master files. In this case, the danger of corrupting the clients files

16 | P a g e

Audit Objectives, Procedures and Program for Computer-Based

Accounting System

is avoided but there is less assurance that the normal production programs have been
used.
(iii)

Other techniques

There are increasing numbers of other techniques that can be used; the main two are:
Integrated test facility used when test data is run live; involves the establishment of
dummy records, such as departments or customer accounts to which the dummy data
can be processed. They can then be ignored when client records are printed out, and
reversed out later.
Embedded audit facilities (embedded audit monitor) also known as resident audit
software; requires the auditors own program code to be embedded into the clients
application software. The embedded code is designed to perform audit functions and
can be switched on at selected times or activated each time the application program is
used. Embedded facilities can be used to:
Gather and store information relating to transactions at the time of processing for
subsequent audit review; the selected transactions are written to audit files for
subsequent examination, often called system control and review file (SCARF)
Spot and record (for subsequent audit attention) any items that are unusual; the
transactions are marked by the audit code when selection conditions (specified by the
auditor) are satisfied. This technique is also referred to as tagging.
The attraction of embedded audit facilities is obvious, as it equates to having a
perpetual audit of transactions. However, the set-up is costly and may require the
auditor to have an input at the system development stage. Embedded audit facilities are
often used in real time and database environments.
Impact of computer-based systems on the audit approach
The fact that systems are computer-based does not alter the key stages of the audit
process; this explains why references to the audit of computer-based systems have
been subsumed into ISAs 300, 315 and 330.
(i) Planning
The Appendix to ISA 300 (Redrafted) states the effect of information technology on the
audit procedures, including the availability of data and the expected use of computer assisted audit techniques as one of the characteristics of the audit that needs to be
considered in developing the overall audit strategy.

17 | P a g e

Audit Objectives, Procedures and Program for Computer-Based

Accounting System

(ii) Risk assessment

'The auditor shall obtain an understanding of the internal control relevant to the audit.
(ISA 315 (Redrafted)
The application notes to ISA 315 identify the information system as one of the five
components of internal control. It requires the auditor to obtain an understanding of the
information system, including the procedures within both IT and manual systems. In
other words, if the auditor relies on internal control in assessing risk at an assertion
level, s/he needs to understand and test the controls, whether they are manual or
automated. Auditors often use internal control evaluation (ICE) questions to identify
strengths and weaknesses in internal control. These questions remain the same but in
answering them, the auditor considers both manual and automated controls.
For instance, when answering the ICE question, Can liabilities be incurred but not
recorded?, the auditor needs to consider manual controls, such as matching goods
received notes to purchase invoices but will also consider application controls, such
as programmed sequence checks on purchase invoices. The operation of batch control
totals, whether programmed or performed manually, would also be relevant to this
question.
(iii) Testing
The auditor shall design and perform further audit procedures whose nature, timing and
extent are based on and are responsive to the assessed risks of material misstatement
at the assertion level. (ISA 330 (Redrafted))
This statement holds true irrespective of the accounting system, and the auditor will
design compliance and substantive tests that reflect the strengths and weaknesses of
the system. When testing a computer information system, the auditor is likely to use a
mix of manual and computer-assisted audit tests.
Round the machine (computer) v through the machine (computer) approaches to
testing
Many students will have no experience of the use of CAATs, as auditors of clients using
small computer systems will often audit round the machine. This means that the
auditor reconciles input to output and hopes that the processing of transactions was
error-free. The reason for the popularity of this approach used to be the lack of audit
software that was suitable for use on smaller computers. However, this is no longer true,
and audit software is available that enables the auditor to interrogate copies of client
18 | P a g e

Audit Objectives, Procedures and Program for Computer-Based

Accounting System

files that have been downloaded on to a PC or laptop. However, cost considerations still
appear to be a stumbling block.

In the through the machine approach, the auditor uses CAATs to ensure that computer
- based application controls are operating satisfactorily.

19 | P a g e

Audit Objectives, Procedures and Program for Computer-Based

Accounting System

AUDIT
PROGRAMS

20 | P a g e

Audit Objectives, Procedures and Program for Computer-Based

Accounting System

AUDIT PROGRAMS/AUDIT PLAN

Internal auditors should consider The IIAs Practice Advisory 2010-1: Planning for the IT
Audit Plan when identifying audit plan principles:
1. Planning should be consistent with the charter of the internal audit function and
involve establishing goals, schedules, staffing, budgeting, and reporting.
2. Internal audit activities should be capable of accomplishing the goals within a specific
time and budget and be measured in terms of, at least, targeted dates and levels of
accomplishment.
3. The plan should include the work schedule with activities to be performed and their
key planned dates, as well as estimated efforts in terms of their time frame for
completion and resources.
4. The plan should be prioritized based on:
a.

Dates and results of the last audit engagement.

b.
Updated assessments of risks and effectiveness of risk management and
control processes.
c.

Requests by the board and senior management.

d.

Current issues relating to organizational governance.

e.
Major changes in the business, operations, programs, systems, and
controls.
f.

Opportunities to achieve operating benefits.

g.
Changes to and capabilities of the audit staff. (Work schedules should be
sufficiently flexible to cover unanticipated demands on the internal audit activity.)
The content of the IT audit plan should be a direct reflection of the risk assessment
described in previous sections.
The plan also should have different types of IT audits, for example:
Integrated business process audits.
21 | P a g e

Audit Objectives, Procedures and Program for Computer-Based

Accounting System

Audits of IT processes (e.g., IT governance and strategy audits, as well as audits

of the organizations project management efforts, software development activities,
policies and procedures, COBIT/ISO/ITIL processes, and information security,
incident management, change management, patch management, and help desk
activities).
Business projects and IT initiative audits, including software development life cycle
(SDLC) reviews.
Application control reviews.
Technical infrastructure audits (e.g., demand management reviews, performance
reviews, database assessments, operating systems audits, and operation
analyses).
Network reviews (e.g., network architecture reviews, penetration testing,
vulnerabilities assessments, and performance reviews).
To verify each audit provides appropriate coverage, auditors can incorporate the
following elements as part of the audit:
IT general controls, application controls, and infrastructure controls.
Contributions to operational reviews, financial reviews, and compliance reviews.
Main control objectives (i.e., segregation of duties, concentration of duties, and
security, among others).
New IT trends and their threats, innovations, and impact.
All IT layers of the stack.

22 | P a g e

Audit Objectives, Procedures and Program for Computer-Based

Accounting System

EXAMPLE
OF AN
AUDIT
PROGRAM
23 | P a g e