AUDITING IN A CIS ENVIRONMENT

The public expression of an auditor’s opinion is the culmination of a systematic financial

audit process that involves three (3) conceptual phases: audit planning, tests of
controls, and substantive testing. An IT audit focuses on the computer-based aspects of
an organization’s information system and modern systems employ significant levels of
technology. Transaction processing is automated and performed in large part by computer
programs. Similarly source documents, journals, and ledgers that traditionally were paper-
based are now digitized and stored in relational databases. The controls over these
processes and databases become central issues in the financial audit process.

The Structure of an IT Audit

1. Audit planning Phase:

a. Review organization’s policies, practices, and structure.

Before the auditor can determine the nature and extent of the tests to perform he or
she must gain a thorough understanding of the client’s business. A major part of
this phase of the audit is the analysis of audit risks. An audit risk is the probability
that the auditor will render an unqualified (clean) opinion on financial statements
that are, in fact, materially misstated. Material misstatements maybe caused by
errors or irregularities or both. Errors are unintentional mistakes. Irregularities are
intentional misrepresentations associated with the commission of a fraud such as
misappropriation of physical assets or the deception of financial statement users.

b. Review general controls and application controls.

During the review of the controls, the auditor attempts to understand the
organization’s policies, practices, and structure. In this phase the auditor also
identifies the financially significant applications and attempts to understand the
controls over the primary transactions that are processed by these applications.
The techniques for gathering evidence at this phase include conducting
questionnaire, interviewing management, reviewing system documentations, and
observing activities. During this process, the auditor must identify the principal
exposures and the controls that attempts to reduce the exposures.

c. Plan test of controls and substantive testing procedures.

2. Tests of controls:
The objective of this phase is to determine whether adequate internal control is in
place and functioning properly.

a. Perform tests of controls

b. Evaluate test results
c. Determine degree of reliance

Page 1
3. Substantive Testing Phase:
In this phase, the audit focuses on the financial data and involves a detailed
investigation of specific account balances and transactions.

a. Perform substantive tests

b. Evaluate results and issue auditor’s report
c. Audit Report

INTERNAL CONTROL

An organization’s internal control system comprises policies, practices, and procedures to

achieve four (4) broad objectives:

1. To safeguard assets of the firm

2. To insure the accuracy and reliability of accounting records and information
3. To promote efficiency in the firm’s operations
4. To measure compliance with management’s prescribed policies and procedures

Inherent in these control objectives are four (4) modifying principles that guide the auditors
of internal control system

1. Management responsibility
This concept holds that the establishment and maintenance of internal control system
is management responsibility.

2. Methods of data processing

The internal control system should achieve the four broad objectives regardless of the
data processing method used (whether manual or computer-based). However, the
specific techniques used to achieve these objectives will vary with different types of
technology.

3. Limitations. These includes:

a. the possibility of error – no system is perfect

b. Circumvention - personnel may circumvent the system through collusion or other
means.
c. Management override – management is in a position to override control procedures
by personally distorting transactions or by directing a subordinate to do so.

4. Reasonable Assurance. Some weaknesses of internal control are immaterial and

tolerable. Under the principle of reasonable assurance, these control weaknesses may
not be worth fixing and cost of correcting it is offset by the benefits derived.

Page 2
 Information Technology Governance

IT Governance focuses on the management and assessment of strategic IT resources.

Common practice then regarding IT investments was to defer all decisions to corporate IT
professionals. Modern IT governance, however, follows the philosophy that all corporate
stakeholders, including board of directors, top management, and departmental users (i.e.,
accounting and finance) be active participants in key IT decisions. Such broad-based
involvement reduces risk and increases the likelihood that IT decisions will be in
compliance with user needs, corporate policies, strategic initiatives and internal control
requirements.

Key objectives of IT Governance:

1. To reduce risk
2. Ensure that investments in IT resources add value to the corporation.

IT Governance Controls

Although all IT governance issues are important to the organization, we will concentrate on
the following three (3) issues that may potentially impact the financial reporting process.

1. Organizational structure of the IT function

2. Computer center operations
3. Disaster recovery planning

Structure of the IT function

The organization of IT function has implications for the nature and effectiveness of internal
controls, which, in turn, has implications for the audit. The following are two extreme
organizational models of IT structure:

1. Centralized Approach
2. Distributed Approach

Centralized Data Processing Approach

Under this model, all data processing is performed by one or two large computers housed
at a central site that serves users throughout the organization. IT service activities are
consolidated and managed as a shared organization resource. End users compete for
these resources on the basis of need. The IT services function is usually treated as a cost
center whose operating costs are charged back to the end users. The following are the
primary service areas of centralized IT services structure:

1. Database Administration
Centrally organized companies maintain their data resources in central location that is
shared by all end users. In this shared data arrangement, an independent group

Page 3
 headed by the database administrator (DBA) is responsible for the security and
integrity of the database.

2. Data Processing
This group manages the computer resources used to perform the day-to-day
processing of transactions. It consists of the following organizational functions:
a. Data Conversion
The data conversion function transcribes transaction data from hard-copy source
documents into computer input. For example, data conversion could-involve
keystroking sales orders into a sale order application in modern systems, or
transcribing data into magnetic media (tape or disk) suitable for computer
processing in legacy type systems.
b. Computer Operations
The electronic files produced in data conversion are later processed by the central
computer, which is managed by the computer operations groups. Accounting
applications are usually executed according to a strict schedule that is controlled by
the central computer’s operating system.
c. Data Library
Data library provides safe storage for the off-line data files. These files could be
backups or current data files. In addition, data library is used to store original
copies of commercial software and their licenses for safekeeping.

3. Systems Development and Maintenance

The information systems needs of users are met by the following two (2) related
functions.
a. Systems Development
This group is responsible for analyzing user needs and for designing new systems
to satisfy user needs. The participants in system development activities include the
following:

 System professionals – include system analysts, database designers, and

programmers who design and build the system. They gather facts about the
user’s problem, analyze the facts, and formulate a solution. The product of their
efforts is a new information system.
 End Users are those for whom the system is built. They are the managers who
receive reports from the system and the operations personnel who work directly
with the system as part of their daily responsibilities.
 Stakeholders are individuals inside or outside the firm who have an interest in
the system, but are not end users. They include accountants, internal auditors,
external auditors, and others who oversee systems development.

b. System Maintenance
Once a new system has been designed and implemented, the systems
maintenance group assumes responsibility for keeping it current with user needs.
The term maintenance refers to making changes to program logic to
accommodate shifts in user needs over time. During the course of system’s life

Page 4
 (often years), as much as 80% or 90% of its total cost maybe incurred through
maintenance activities.

Segregation of Incompatible IT Functions

It is important that incompatible duties within manual activities are segregated. Specifically,
operational tasks should be segregated to:

1. Separate transaction authorization from transaction processing.

2. Separate record keeping from asset custody
3. Divide transaction-processing tasks among individuals such that short of collusion
between two or more individuals fraud not be possible.

The IT environment tends to consolidate activities. A single application process, authorize

and record all aspects of a transaction. Thus, the focus of segregation control shifts from
the operational level (transaction processing tasks that computer now perform) to higher-
level organizational relationships within the computer services function.

Separating Systems Development from Computer Operations

The segregation of systems development (both new systems development and

maintenance) and operations activities is of the greatest importance. The relationship
between these groups should be extremely formal, and their responsibilities should not be
commingled. Systems development and maintenance professionals should create (and
maintain) systems for users and should have no involvement in entering data or running
applications (i.e., computer operations). Operation staff should run these systems and
have no involvement in their design. These functions are inherently incompatible, and
consolidating them invites errors and fraud.

Separating Database Administration from other functions

The database administrator (DBA) function is responsible for a number of critical tasks
pertaining to database security, including creating schema and user views, assigning
database access authority to users, monitoring database usage, and planning for future
expansion. Delegating these responsibilities to others who perform incompatible tasks
threatens database integrity.

Separating New Systems Development from Maintenance

Some companies organize their in-house systems development function into two groups:
systems analysis and programming. The system analysis group works with the users to
produce detailed designs of the new system. The programming group codes the program
according to these design specifications. Under this approach, the programmer who codes
the original programs also maintains the system during the maintenance phase of the
system development life cycle. Although a common arrangement, this approach is
associated with two types of control problems: inadequate documentation and the
potential for program fraud.

Page 5
Inadequate Documentation

Poor-quality systems documentation is a chronic IT problem and a significant challenge for

many organizations seeking Sarbanes-Oxley (SOX) compliance. There are at least two (2)
explanations for this phenomenon.

1. Documenting systems is not as interesting as designing, testing, and implementing

them. System professionals much prefer to move on to an exciting new product rather
than document one just completed.

2. Job security. When a system is poorly documented, it is difficult to interpret, test, and
debug. Therefore, the programmer who understands the system (the one who coded it)
maintains bargaining power and becomes relatively indispensable. When the
programmer leaves the firm, however, a new programmer inherits maintenance
responsibility for the undocumented system. Depending on its complexity, the transition
period maybe long and costly.

Program Fraud

When the original programmer of a system is also assigned maintenance responsibility,

the potential for fraud is increased. Program fraud involves making unauthorized changes
to program modules for the purpose of committing illegal act. The original programmer
may have successfully concealed fraudulent code among the thousands of lines of
legitimate code and the hundreds of modules that constitute a system. For the fraud to
work successfully, however, the programmer must be able to control the situation through
exclusive and unrestricted access to the application’s programs. The programmer needs to
protect the fraudulent code from accidental detection by another programmer performing
maintenance or by auditors testing application control. Therefore, having sole responsibility
for maintenance is an important element in the duplicitous programmer’s scheme. Through
this maintenance authority, the programmer may freely access the system, disabling
fraudulent code during audits and restoring the fraudulent code when auditors has
finished.

The Distributed Model

An alternative to the centralized model is the concept of distributed data processing

(DDP). It involves reorganizing the central IT function into small IT units that are placed
under the control of end users. The IT units maybe distributed according to business
function, geographic location, or both. The degree of to which they are distributed will vary
depending upon the philosophy and objectives of the organization’s management.

Risks Associated with distributed data processing (DDP)

Potential problems include the inefficient use of resources, the destructions of audit trails
inadequate segregation of duties, increase potential programming errors and system
failures, and the lack of standards

Page 6
Inefficient Use of Resources

DDP can expose and organization to three (3) types of risks associated with inefficient use
of organizational resources

1. Risk of mismanagement of organization-wide IT resources by end users. Some argue

that organization-wide IT resources exceed a threshold amount, for example 5% of the
total operations budget, effective IT governance requires central management and
monitoring of such resources.
2. DDP can increase the risk of operational inefficiencies because of redundant tasks
being performed within the end-user committee. Autonomous systems development
initiatives distributed throughout the firm can result in each user area reinventing the
wheel rather than benefiting from the work of others.
3. DDP environment poses a risk of incompatible hardware and software among end-user
functions. Distributing the responsibility for IT purchases to end users may result in
uncoordinated and poorly conceived decisions.

Destruction of Audit Trails

An audit trial provides the linkage between a company’s financial activities (transactions)
and the financial statements that report on those activities.

Inadequate Segregation of Duties

Achieving an adequate segregation of duties may not be possible in some distributed

environments. The distribution of the IT services to users may result in the creation of
small independent units that do not permit the desired separation of incompatible
functions.

Hiring Qualified Professionals

End-user managers may lack the IT knowledge to evaluate the technical credentials and
relevant experience of candidates applying for IT professional positions.

Lack of Standards

Because of the distribution of responsibility in the DDP environment, standards for

developing and documenting systems, choosing programming language, acquiring
hardware and software, and evaluating performance maybe unevenly applied or even
nonexistent.

Page 7