UNENDING INNOVATIONS in

INFORMATION TECHNOLOGY give

NEW OPPORTUNITIES yet created
some CHALLENGING PROBLEMS
to auditors.

RESPONSIBILTY as to:
MANAGEMENT & THOSE CHARGED
WITH
GOVERNACE

AUDITIORS

CHARACTERISTICS OF CIS
LACK OF VISIBLE TRANSACTION TRAILS
Transaction trail (or audit trail) refers to the successive
stages in the recording of a transaction in the books of
account through which an auditor may be able to trace
accounting entries in the backs back to their initiation and
vice versa.
some computer information systems are designed so that a
complete transaction trail that is useful for audit purposes
might exist for only short period of time or only in a
computer readable form.
Where a complex application system performs a large
number of processing steps, there may not be a complete
trail.

CONSISTENCY OF PERFORMANCE
Computer processing uniformly like transactions
with the same processing instructions. Thus, the
clerical errors ordinarily associated with manual
processing are virtually eliminated.
Conversely, programming errors (or other
systematic errors in hardware or software) will
ordinarily result in all transactions being
processed incorrectly.

EASE OF ACCESS TO DATA & COMPUTER

PROGRAMS
Data and computer program may be accessed
and altered by unauthorized persons leaving no
visible evidence.
Thus, it is important to have appropriate control
in the access of data and computer programs.

CONCENTRATION OF DUTIES
Many control procedures that would ordinarily be performed by
separate individuals in manual systems may become
concentrated in a CIS environment.
Thus, an individual who has access to computer programs,
processing or data may be in a position to perform incompatible
functions.

SYSTEMS GENERATED TRANSACTIONS

Computer information systems may include the capability to
initiate or cause the execution of certain types of transactions
AUTOMATICALLY.
The authorization of these transactions or procedures may not
be documented in the same way as that in manual system, and
managements authorization may be implicit in its acceptance .

VULNERABILITY OF DATA & PROGRAM

STORAGE MEDIA
The programs and data in a CIS system are stored
on a portable or fixed storage media. These
media are susceptible to intentional or accidental
destruction.
Moreover, the programs and data are also
susceptible to what is popularly known as
computer Virus. A computer virus is a program
that affects the normal functioning of computer
system by alter or destroying other programs
and data.

Extensive internal control is needed in the CIS

environment.

Internal Control in a CIS Environment

Internal controls in a CIS system depend on the
same principle as those in the case manual
systems. However,
there are many controls
specially applicable in a CIS environment.
Auditors concerned:
Authenticity
Accuracy
Completeness
Asset-safeguarding
Existence of audit trail

CLASSIFICATION OF INTERNAL CONTROL PROCEDURES

GENERAL CONTROLS
Organizational controls
Systems development and documentation
controls
Access controls
Data recovery controls
Monitoring controls

APPLICATION CONTROLS
Controls over input
Controls over processing
Controls over output

GENERAL CONTROLS
These ensure that a companys control
environment is stable and well
managed in order to strengthen the
effectiveness of application controls.
Applies to all IT systems
Organizational controls
Systems development and
documentation controls
Access controls
Data recovery controls
Monitoring controls

ORGANIZATIONAL CONTROLS
Is a CIS function so organized that
incompatible functions are segregated to the
extent possible?

SEGREGATION BETWEEN THE CIS

DEPARTMENT AND USER DEPARTMENTS

SEGREGATION OF DUTIES WITHIN

THE CIS DEPARTMENT

SEGREGATION BETWEEN THE CIS

DEPARTMENT AND USER
DEPARTMENTS

CIS department must be independent

of all departments within the entity
that provide input data or the use
output generated by the CIS.
CIS department function is to process
transactions while user department
initiates the transaction.

Segregation of Functions in a
Direct/Immediate Processing System
User DepartmentsComputer Operations

Data Inputs

Displayed Outputs

Printed or
Plotted Outputs
Figure 8-6

Online Files (or data libra

for removable disks and
backups
Batch
Files

Process

Online
Files

SEGREGATION OF DUTIES WITHIN

THE CIS DEPARTMENT
The entitys organizational structure
should provide for definite lines of
authority and responsibility within the
CIS department.

SYSTEMS DEVELOPMENT AND

DOCUMENTATION CONTROLS
Were auditors (both external and internal)
consulted (along with various other user groups)
while designing appropriate controls over
development, testing and documentation of the
systems software and a mixture of application
programs?
Are the programs test-run and test-run reports
reviewed by the systems analyst before the
programs are put into actual operation?

ACCESS CONTROLS
How effective are the controls over
unauthorized use of programs and
data?
An effective access control is the use
of passwords. A password is a secret
code which is known only to the
computer user.

DATA RECOVERY CONTROLS

Computer files can be easily lost and the lost
of these files can be disastrous to an entity.
Maintenance of back-up files and off-site
storage procedures
The use of magnetic tapes usually have a
common practice in file retention called
Grand-father, father, son practice.

Monitoring controls
It is designed to ensure that CIS
controls are working effectively as
planned.
Periodic evaluation

CLASSIFICATION OF INTERNAL CONTROL PROCEDURES

GENERAL CONTROLS
Organizational controls
Systems development and documentation
controls
Access controls
Data recovery controls
Monitoring controls

APPLICATION CONTROLS
Controls over input
Controls over processing
Controls over output

APPLICATION CONTROLS
These are designed to prevent, detect, and
correct errors and irregularities in transactions
as they flow through the stages of data
processing.

Processing of transaction involves

inpu
processing
output stage
three
stages:
the t
,
, and
.

Controls over input

Key Verification
Required data to entered twice (usually by different operator)
to provide assurance that there are no key errors committed.

Field check
Ensures that the input data agree with the required field
format.

Validity check
Information entered are compared with the valid information
in the master file to determine the authenticity of the input.

Self-checking digit
This is a mathematically calculated digit which is usually
added to a document number to detect common
transpositional errors in data submitted for processing.

 Limit check
Also called reasonable check, is designed
to ensure that data submitted for
processing do not exceed a pre-determined
limit or reasonable amount.

Control totals
These are totals computes based on data
submitted for processing
Ensure the completeness of data before
and after they are processed

Controls over processing

Processing controls are designed to
provide reasonable assurance that input
accurately
,
data are processed
,lostand
that
are notduplicated
addeddata
improperly changed
excluded
,
,
or
Controls
over
output
.
Output controls are designed to provide
reasonable assurance that the results of
processing are accurate
,
and
complete
these outputs distributed
are
only to authorized personnel.

fin

Reference:
https://books.google.com.ph/books?
id=neDFWDyUWuQC&pg=PA196&lpg=PA1
96&dq=VULNERABILITY+OF+DATA+AND+P
ROGRAM+STORAGE+MEDIA+IN+CIS+AUDI
T&source=bl&ots=7bvmSmhr6L&sig=Xrwg
QSQ2uMQX5Xn6sYao10bXuKo&hl=en&sa=
X&ved=0ahUKEwiWkdvX_5TOAhULm5QKH
RV3AZoQ6AEIHDAA#v=onepage&q=VULNE
RABILITY%20OF%20DATA%20AND
%20PROGRAM%20STORAGE%20MEDIA
%20IN%20CIS%20AUDIT&f=true
Audit theory by Salosagcol, et al