LYCEUM

O F A L A B A N G
Km.30, National Road., Tunasan, Muntinlupa City, Philippines
AUDITING IN CIS ENVIRONMENT
Tel. Nos. (02)856-93-23 / (02)856-9246 / (02)403-8248

COURSE DESCRIPTION

The advent of advanced information technology and communication affects the way
auditors exercise his engagement. Planning and performing audit procedures and
techniques take into consideration the accounting information system employed by the
audit client in a computerized business environment. This course exposes the students to
computer controls such as the general and application controls. It discusses information
technology related risks, security and control mechanisms and techniques that may be
employed to address the risks and the impact of the use of information and
communication technology in the audit of the entity’s transactions cycles. Likewise, the
use of various Computer-aided audit techniques (CAATs) are considered in understanding
and applying auditing approach through the computers and with the computers.
Relatedly, E-Commerce, Data Privacy Law, Cyber-Crime Law are discussed in so far as they
are relevant in the auditing circumstances. Students should be able to describe and apply
concepts pertaining to audit of a computerized environment, address audit risks and
apply appropriate audit tools, audit techniques and audit procedures.

LEARNING OUTCOMES
1. Describe an overview of an auditing concepts.
2. Distinguish attestation and assurance services.
3. Identify the IT audit as a significant component of financial audits.
4. Understand the management assertions on the presentation of financial
statements.
5. Enumerate the audit objectives and procedures based on management
assertions.
6. Explain the structure of an IT audit.
7. Explain the components of audit risks.
8. Understand the key features of Sections 302 and 404 of the Sarbanes-Oxley Act.
(AIS)

HECTOR E. JULIANO 1
 LYCEUM
O F A L A B A N G
Km.30, National Road., Tunasan, Muntinlupa City, Philippines
AUDITING IN CIS ENVIRONMENT
Tel. Nos. (02)856-93-23 / (02)856-9246 / (02)403-8248

9. Understand management and auditor responsibilities under Sections 302 and

404.
10. Understand the risks of incompatible functions and how to structure the IT
function.
11. Be familiar with the controls and precautions on computer facilities.
12. Understand the key elements of a disaster recovery plan.
13. Be familiar with the benefits, risks and audit issues related to IT outsourcing.
14. Identify the principal threats to the operating system.
15. Identify the control technique used to minimized threat’s exposure.
16. Be familiar with the principal risks on electronic commerce and how to mitigate
them.
17. Be familiar with database integrity risk and controls used to mitigate them.
18. Recognize exposures to electronic data interchange (EDI).
19. Understand how EDI exposures shall be reduced.
20. Understand the computer-assisted audit tools and techniques (CAATTs).
21. Identify various CAATTs in testing application controls.
22. Understand auditing techniques in performing substantive testing techniques.

TOPIC OUTLINE

1. Attest services versus assurance services.

2. Generally accepted auditing standards.
3. External auditing versus Internal auditing.
4. Management assertions and audit objectives.
5. Phases of information technology audit.
6. Inherent risks.
7. Control risk.
8. Detection risk.
9. Overview of SOX 302 and 404.

HECTOR E. JULIANO 2
 LYCEUM
O F A L A B A N G
Km.30, National Road., Tunasan, Muntinlupa City, Philippines
AUDITING IN CIS ENVIRONMENT
Tel. Nos. (02)856-93-23 / (02)856-9246 / (02)403-8248

10. Requirements of SOX 302 AND 404.

11. Relationship between IT controls and Financial Reporting.
12. Application controls and general controls.
13. Organizational structure controls.
14. Computer center security and controls.
15. Disaster Recovery Planning.
16. Controlling the operating system.
17. Objectives of the operating system.
18. Threats to operating system integrity.
19. Controls and testing controls of operating system.
20. The Electronic Data Interchange concept.
21. Transaction authorization and validation.
22. Access control and EDI audit trail.
23. Computer-assisted audit tolls and techniques.
24. The test data method.
25. Base case system evaluation.
26. Tracing.
27. Integrated test facility.
28. Parallel simulation.
29. Embedded Audit Module.
30. Generalized Audit Software.
31. Substantive testing techniques.

HECTOR E. JULIANO 3
 LYCEUM
O F A L A B A N G
Km.30, National Road., Tunasan, Muntinlupa City, Philippines
AUDITING IN CIS ENVIRONMENT
Tel. Nos. (02)856-93-23 / (02)856-9246 / (02)403-8248

REFERENCES:

1. Davis, et. al., (2011). IT Auditing: Using Control to Protect Information Assets

Published by McGraw-Hill/Irwin, New York

2. Hall, James A. (2011). Accounting Information System

Published by Cengage Learning, Ohio

PRELIM

FIRST WEEK

INTRODUCTION

Orientation of the subject matter, its coverage and what everyone should expect from
the course are some of the salient points that will be taken during the first week of the
class. Students shall be introduced on the basics of auditing and its application when
auditing financial reports and the entity’s operating systems prepared on a computerized
environment. This is a must for the students to learn not only because of its inclusion in
the CPA licensure examination but also for them to acquire relatively significant
understanding and knowledge in auditing every business structure and activities in
consonance to their pursuance of becoming a full pledge certified public accountant.

IDEATION

The advent of technology created a tremendous impact on the field of auditing.

Information technology have inspired traditional businesses in promoting a more efficient
management information due to technology from gathering data and processing this
information for internal and outside users. In order for the auditor to fully implement the

HECTOR E. JULIANO 4
 LYCEUM
O F A L A B A N G
Km.30, National Road., Tunasan, Muntinlupa City, Philippines
AUDITING IN CIS ENVIRONMENT
Tel. Nos. (02)856-93-23 / (02)856-9246 / (02)403-8248

goal and purpose of an audit, it is imperative that auditors should be fully aware on the
effects of information technology on the audit of client’s financial statements both in the
context of how these financial statements were produced, and how the auditor can use
the technology in the process of auditing the financial statements.

TOPIC/LESSON

1. Describe an overview of an auditing concepts.

2. Distinguish attestation and assurance services.
3. Identify the IT audit as a significant component of financial audits.
4. Understand the management assertions on the presentation of financial statements.
5. Enumerate the audit objectives and procedures based on management assertions.
6. Explain the structure of an IT audit.
7. Explain the components of audit risks.

Definition of Terms

 Assurance services
- Professional services, including the attest function, designed to improve
the quality of information, both financial and nonfinancial, used by
decision makers.

 Attest function
- Independent auditor’s responsibility to opine as to the fair presentation
of a client firm’s financial statement.

HECTOR E. JULIANO 5
 LYCEUM
O F A L A B A N G
Km.30, National Road., Tunasan, Muntinlupa City, Philippines
AUDITING IN CIS ENVIRONMENT
Tel. Nos. (02)856-93-23 / (02)856-9246 / (02)403-8248

 Accounting information systems

- Specialized subset of information systems that processes financial
transactions.

 Application controls
- Controls that ensure the integrity of specific systems.

 Audit objectives
- Task of creating meaningful test data.

 Audit procedures
- Combination of tests of application controls and substantive tests of
transaction details and account balances.

 Audit risk
- Probability that the auditor will render unqualified opinions on financial
statements that are, in fact, materially misstated.

 Audit trail
- Accounting records that trace transactions from their source documents
to the financial statements.

 Computer-assisted audit tools and techniques (CAATTs)

- the use of technology to help auditors evaluate controls by extracting and
examining relevant data.

HECTOR E. JULIANO 6
 LYCEUM
O F A L A B A N G
Km.30, National Road., Tunasan, Muntinlupa City, Philippines
AUDITING IN CIS ENVIRONMENT
Tel. Nos. (02)856-93-23 / (02)856-9246 / (02)403-8248

 Disaster recovery plan

- Comprehensive statement of all actions to be taken before, during, and
after a disaster, along with documented, tested procedures to ensure the

continuity of operations.

 Electronic data interchange

- Intercompany exchange of computer-processible business information in
standard format.

 Embedded audit module

- Technique in which one or more specially programmed modules
embedded in a host application select and record predetermined types of

transactions for subsequent analysis.

 General controls
- Controls that pertain to entity-wide concerns such as controls over the
data center, organization databases, systems development, and program
maintenance.

 Generalized audit software

- Software that allows auditors to access electronically coded data files and
perform various operations on their contents.

HECTOR E. JULIANO 7
 LYCEUM
O F A L A B A N G
Km.30, National Road., Tunasan, Muntinlupa City, Philippines
AUDITING IN CIS ENVIRONMENT
Tel. Nos. (02)856-93-23 / (02)856-9246 / (02)403-8248

 Information Technology Audit

- Focuses on the computer-based aspects of an organization’s information
system.

 Integrated test facility

- Automated technique that enables the auditor to test an application’s
logic and controls during its normal operation.

 Management assertion
- Combination of tests of application controls and substantive tests of
transaction details and account balances.

 Operating systems
- Computer’s control program.

 Parallel simulation
- Technique that requires the auditor to write a program that simulates key
features of processes of the application under review.

 Risk
- Possibility of loss or injury that can reduce or eliminate an organization’s
ability to achieve its objectives.

HECTOR E. JULIANO 8
 LYCEUM
O F A L A B A N G
Km.30, National Road., Tunasan, Muntinlupa City, Philippines
AUDITING IN CIS ENVIRONMENT
Tel. Nos. (02)856-93-23 / (02)856-9246 / (02)403-8248

 Risk assessment
- Identification, analysis, and management of risks relevant to financial
reporting.

 Sarbanes Oxley Act (SOX)

- Improve the reliability of public companies’ financial reporting as well as
restore investor’s confidence in the wake of high profile cases of corporate
crime.

 Schema
- Description of the entire database.

 Substantive tests
- Tests that determine whether database contents fairly reflect the
organization’s transactions.

 Tracing
- Test data technique that performs an electronic walkthrough of the
application’s internal logic.

 Transaction authorization
- Procedure to ensure that employees process only valid transactions
within the scope of their authority.

HECTOR E. JULIANO 9
 LYCEUM
O F A L A B A N G
Km.30, National Road., Tunasan, Muntinlupa City, Philippines
AUDITING IN CIS ENVIRONMENT
Tel. Nos. (02)856-93-23 / (02)856-9246 / (02)403-8248

PRELIM

The Concepts of Auditing and Information Technology

Conducting an audit is a systematic and logical process of obtaining and evaluating

evidence from all forms of information system. As such, an auditor must possess the
required framework enumerating the physical procedures necessary in conducting an
audit in an IT environment.

Financial statements reflect the management’s assertions about the financial health of an
entity. Auditor is tasked to determine the truthfulness of this assertion. And to
accomplish this, he must establish objectives, design procedures, and gathers evidence
that would either corroborate or refute management’s assertions on financial
statements. Since auditors develop their objectives and design procedures, based on
these assertions, it is a must to determine first these assertions.

Management’s assertions on the financial statements fall into the following categories:

1. Assets and equities contained in the balance sheet exist and transactions in
the income statement occurred.

2. No material assets, equities or transactions were omitted from the financial

statements.

3. The entity owns the assets and the liabilities are equally their own obligations.

HECTOR E. JULIANO 10
 LYCEUM
O F A L A B A N G
Km.30, National Road., Tunasan, Muntinlupa City, Philippines
AUDITING IN CIS ENVIRONMENT
Tel. Nos. (02)856-93-23 / (02)856-9246 / (02)403-8248

4. Assets and equities are valued following the generally accepted accounting
principles and that depreciation expense are calculated on a systematic and
rational basis.

5. That items in the financial statements are properly classified (i.e. long-term
liabilities will not mature within one year) and that disclosures on the notes to
financial statements are adequate so that users of financial statements shall
not be misled.

Based on the foregoing assertions, a summary of auditor’s objectives and procedures is

prepared as follows:

AUDIT OBJECTIVES AND PROCEDURES BASED ON MANAGEMENT ASSERTIONS

Management Audit Objective Audit procedure

Assertion

Existence or Inventories on the balance Observe counting of physical

occurrence sheet exist. inventory.

Completeness Accounts payable are Compare receiving reports,

obligations to vendors for supplier’s invoices, purchase orders,
the period. journal entries for the period and
beginning of the next period.

Rights and Plant and equipment listed Review purchase agreements,

obligations in the balance sheet are insurance policies, and related
owned by the entity. documents

Valuation or Accounts receivable are Review entity’s aging of accounts

allocation stated at net receivable and evaluate the adequacy of the
value. allowance for uncollectible

HECTOR E. JULIANO 11
 LYCEUM
O F A L A B A N G
Km.30, National Road., Tunasan, Muntinlupa City, Philippines
AUDITING IN CIS ENVIRONMENT
Tel. Nos. (02)856-93-23 / (02)856-9246 / (02)403-8248

accounts.

Presentation Contingencies not reported Obtain information from entity

and disclosure on financial accounts are lawyers about status of litigation
properly disclosed in and estimates of potential loss.
footnotes.

ATTESTATION vs. ASSURANCE

Auditing as a function of an auditor covers two important activities – attestation function

and assurance services. The question that we would like to uncover the answer is how
one is different from the other.

ATTEST service is an engagement in which a practitioner is engaged to issue, or does

issue, a written communication that express a conclusion about the reliability of a written
assertion that is the responsibility of another party.

Whereas,

ASSURANCE services are professional services designed to improve the quality of

financial and nonfinancial information being used by decision makers. An assurance
service contracted by management about a quality or marketability of a given product is
one example. Assurance service must involve an improvement of information at hand of
a client to help client make a better decision.

DON’T’s FOR ACCOUNTANTS

Before the passage of the Sarbanes Oxley Act of 2002, accounting firms are allowed to
provide assurance services to clients that they audit. Today, it is now unlawful for a

HECTOR E. JULIANO 12
 LYCEUM
O F A L A B A N G
Km.30, National Road., Tunasan, Muntinlupa City, Philippines
AUDITING IN CIS ENVIRONMENT
Tel. Nos. (02)856-93-23 / (02)856-9246 / (02)403-8248

registered public accounting firm who are currently providing attest services to provide
the following services:

▪ bookkeeping or other services related to financial statements of the audit client

▪ financial information systems design and implementation
▪ appraisal or valuation services
▪ actuarial services
▪ internal audit outsourcing services
▪ management functions or human resources
▪ broker or dealer, investment adviser, or investment banking services
▪ legal services and expert services unrelated to the audit
▪ any other service that the Board determines

Structure of an Information Technology Audit

Auditing information technology structure are made through the following stages:

1. Audit planning – Auditor must gain sufficient knowledge and thorough

understanding of the client’s business to plan the other phases of the audit.
Through risk analysis, the auditor attempts to understand the organization’s
internal control, for understanding organization’s policies, practices and
structure.

2. Test of controls - This phase aims to determine the adequacy of internal

control and if functioning properly. The auditor must perform various control
test to accomplish this. The quality of internal control and its reliability affects
the nature of substantive testing.

3. Substantive testing - Focus is on financial data, this phase involves a detailed

investigation of account balances and transactions. By tracing back to the

HECTOR E. JULIANO 13
 LYCEUM
O F A L A B A N G
Km.30, National Road., Tunasan, Muntinlupa City, Philippines
AUDITING IN CIS ENVIRONMENT
Tel. Nos. (02)856-93-23 / (02)856-9246 / (02)403-8248

customer, the veracity of the balance of accounts receivable balance and the
confirmation that a bona fide client really owes the amount stated.

In every audit engagement, there is always a probability that an auditor may render an
unqualified opinion on a financial statement that is materially misstated, or erroneous
due to material misstatements. This occurrence in auditing is called audit risk. Thus,
through substantive testing and test control, auditor’s objective of minimizing audit risk
is attained.

COMPONENTS OF AUDIT RISKS

Let us analyze further the components of audit risk:

A. Inherent risk – refers to a material misstatement of an entity’s account balance

emanating mostly from declining business. A classic example of this type of risk is
when a client shows in the balance sheet an accounts receivable of P10M, but
P2M of this total are from industry nearing out of business and therefore unlikely
to be collected. To include the P2M amount in the total accounts receivable
balance is a misstatement of the financial position of an entity.

B. Control risk – refers to a flawed control structure due to inadequacy of control to

detect an erroneous account. Suppose the price per unit and the quantity of a
given unit is correct but the extended total is wrong, lack of control may lead to a
wrong total that will be posted to accounts receivable file.

C. Detection risk – Errors not detected or prevented by the control structure are
likewise cannot be detected by the auditor which the auditor readily accepts. In
situation such as this, the auditor sets an acceptable level of detection risk which

HECTOR E. JULIANO 14
 LYCEUM
O F A L A B A N G
Km.30, National Road., Tunasan, Muntinlupa City, Philippines
AUDITING IN CIS ENVIRONMENT
Tel. Nos. (02)856-93-23 / (02)856-9246 / (02)403-8248

serve as a barometer in performing a substantive test. An acceptable level of 5%

must require more substantive test when the detection risk is only 1%.

REVIEW QUESTIONS:

1. What are the conceptual phases of an audit? How do they differ between general
auditing and IT auditing?
2. Distinguish between internal and external auditors.
3. What are the four primary elements described in the definition of auditing?
4. Explain the concept of materiality.
5. What tasks do auditors perform during audit planning, and what techniques are used?

_____________________________________________________________

MIDTERM

SARBANES OXLEY ACT (SOX)

The SOX Act of 2002 was enacted and signed into law on July 30, 2002 by US President
George W. Bush to improve the reliability of public companies’ financial reporting as well
as restore investor’s confidence in the wake of high profile cases of corporate crime.

The abbreviation “SOX” was coined from the authors of the law that established sweeping
auditing and financial regulations for public companies - Senator Paul Sarbanes
(Republican) and Senator Michael Oxley. (Democrat) The enactment of the SOX law in
large part is due to corporate scandals brought by big companies in the U.S. such as Enron
Corporation, Worldcom, and Tyco International.

HECTOR E. JULIANO 15
 LYCEUM
O F A L A B A N G
Km.30, National Road., Tunasan, Muntinlupa City, Philippines
AUDITING IN CIS ENVIRONMENT
Tel. Nos. (02)856-93-23 / (02)856-9246 / (02)403-8248

Key provisions – Sections 302 and 404

The two sections of particular note of SOX from 11 sections are Section 302 and Section
404.

Section 302 pertains to "Corporate Responsibility for Financial Reports”. It established

that CEOs and CFOs are responsible for internal accounting controls of an entity aside
from reviewing all financial reports, and that these reports are “fairly presented” and do
not contain misrepresentations.

Section 404 deals with "Management Assessment of Internal Controls" and requires
companies to publish details about their internal accounting controls and their
procedures for financial reporting as part of their annual financial reports. Section 404
requires corporate executives to personally certify the accuracy of their company's
financial statements and makes them individually liable if the SEC finds violations.

APPLICATION AND GENERAL CONTROLS

Information technology drives the automation of financial reporting. Automated systems

initiate, authorize, record, and report the effects of financial transactions which,
according to SOX must be addressed and controlled. In this connection, two broad
groupings of information controls were identified: application and general controls.

Application controls ensures validity, completeness and accuracy of financial

transactions. It is application specific. An example of this control is when the total batch
payment to vendors must reconcile to the total postings to accounts payable subsidiary
ledger.

HECTOR E. JULIANO 16
 LYCEUM
O F A L A B A N G
Km.30, National Road., Tunasan, Muntinlupa City, Philippines
AUDITING IN CIS ENVIRONMENT
Tel. Nos. (02)856-93-23 / (02)856-9246 / (02)403-8248

General controls not application specific, they do not control specific transactions but
have an effect to transaction integrity such as poor data based security control. When
data based security is at risk, an individual may steal, corrupt transaction data

Control on Organizational Structure

We would like to emphasized that it is equally important that manual activities be

segregated from incompatible duties. This is addressed specifically that operational tasks
should be separated to:

1. Segregate task of transaction on authorization from transaction processing.

2. Segregate record keeping from asset custody.
3. Divide transaction-processing tasks among individuals (fraud through collusion is
avoided)

Computer Center Controls

The security of computer center can create a potential impact for application controls to
function specially when it is about financial reporting processes. The following control
features shall contribute directly to computer center security:

A. Physical location - The computer center should be located away from human
made and natural hazards such as processing plants, gas and water mains,
airports and high crime areas.

HECTOR E. JULIANO 17
 LYCEUM
O F A L A B A N G
Km.30, National Road., Tunasan, Muntinlupa City, Philippines
AUDITING IN CIS ENVIRONMENT
Tel. Nos. (02)856-93-23 / (02)856-9246 / (02)403-8248

B. Construction – Location should be located in a single story building of solid

construction with controlled access. Utility (power and telephone) and
communication lines should be underground.

C. Access – should be limited to the operators and employees who are working
there such as programmers and analysts. These persons should be required
to sign in and out for verification purposes. A single door should be
maintaining for main entrance notwithstanding the fire alarm exits. And close-
circuit cameras with video recording system must be installed for higher level
of security.

D. Air conditioning – must be maintained because computers function best in an

air-conditioned environment and to avoid damaged caused by molds that
grows on paper and paper products due to high humidity.

DISASTER RECOVERY PLANNING

Disasters cannot be prevented or evaded. The survival of a firm affected by disaster

depends on how it reacts. With careful contingency planning, the impact of any disaster
can be absorbed and the organization can still recover. A disaster recovery plan plays a
crucial role to an organization should an unforeseen event occur along with documented
tested procedures that will ensure the continuity of operations. Although every
corporation has its unique plan applicable to every situation, every plan should be
workable. These control issues include among others the following:

a) Second site back-up – provides for duplicate data processing facilities following a
disaster.

HECTOR E. JULIANO 18
 LYCEUM
O F A L A B A N G
Km.30, National Road., Tunasan, Muntinlupa City, Philippines
AUDITING IN CIS ENVIRONMENT
Tel. Nos. (02)856-93-23 / (02)856-9246 / (02)403-8248

b) Identifying critical applications - Critical applications and data files of the firms
must be identify and restored during a DRP. Immediate recovery efforts must
focus on restoring data critical to the organization’s survival such as functions that
involve cash flow position of a particular firm.

c) Performing backup and offsite storage – Critical files and supplies needed in
performing critical functions should be specified in DRP. Personnel should routine
perform backup and storage procedures to safeguard resources that are critical.

d) Testing the plans – DRP test must be performed periodically for it provide
measurement on the preparedness of personnel and identify omissions or
bottlenecks in the plan.

DISCUSSION QUESTIONS:

1. Discuss the key features of SOX 302 and 404.

2. Discuss the differences between the attest function and assurance services.
3. Explain how general controls impact transaction integrity and the financial
reporting process.
4. What fraud detection responsibilities (if any) does SOX impose on auditors?
5. Does a qualified opinion on management’s assessment of internal controls over
the financial reporting system necessitate a qualified opinion on the financial
statements? Explain.

HECTOR E. JULIANO 19
 LYCEUM
O F A L A B A N G
Km.30, National Road., Tunasan, Muntinlupa City, Philippines
AUDITING IN CIS ENVIRONMENT
Tel. Nos. (02)856-93-23 / (02)856-9246 / (02)403-8248

PREFINAL

CONTROLLING THE OPERATING SYSTEM

The computer’s control program is called the operating system wherein it allows the user
and their applications to share and access common computer resources. (processors,
main memory, databases, printers) Never the integrity of an operating system be
compromised, control within individual accounting applications may also be
circumvented or worst, neutralized. Being common to all users, the larger the computer
facility of an entity, the greater of potential damage could occur.

TASKS OF THE OPERATING SYSTEM

1. Translates high level languages.

2. Allocates computer resources to users, workgroups and applications.
3. Manages the tasks of job scheduling and programming.

OBJECTIVES

The following objectives of the operating system is attained when the above-mentioned
tasks are performed reliably and consistently by the operating system:

A. Protect itself from users. Users should not gain control of the system that could
cause damage to the data or stop running the system.

HECTOR E. JULIANO 20
 LYCEUM
O F A L A B A N G
Km.30, National Road., Tunasan, Muntinlupa City, Philippines
AUDITING IN CIS ENVIRONMENT
Tel. Nos. (02)856-93-23 / (02)856-9246 / (02)403-8248

B. Protect users from each other. Users must be independent among each other
and should not access among themselves to corrupt, destroy or access programs
of another user.

C. Protect users among themselves. Modules stored in very data must not corrupt
another module.

D. Operating system must be protected from itself. The individual module

comprising the system must not corrupt or destroy another module.

E. The operating system must be protected from its environment. During power
failure, the operating system should be able to achieve a controlled termination
of activities from it can later recover.

THREATS TO OPERATING SYSTEM INTEGRITY

Control objectives of the operating system may not be achieved when the system is
exploited either accidentally, like hardware failures that could cause the system to crash,
or intentionally, like illegal access of data violation of privacy for personal gain.

Why do these situations occur? These exposures are occurring primarily due to the
following sources:

1. Privilege personnel abusing their authority such as programmers and systems

administrators who require unlimited access to the operating system.

2. Individuals inside or even outside the organization who browse the system for
identifying and exploiting security flaws.

3. Individual who (accidentally) or intentionally insert computer viruses or other

forms of destructive programs in the system.

HECTOR E. JULIANO 21
 LYCEUM
O F A L A B A N G
Km.30, National Road., Tunasan, Muntinlupa City, Philippines
AUDITING IN CIS ENVIRONMENT
Tel. Nos. (02)856-93-23 / (02)856-9246 / (02)403-8248

Overall, the above disadvantage points to the entity occurred due to a common
occurrence – that is, the way access privileges are assigned to individuals influences
system security. That being the case, privileges should, therefore, be carefully
administered and closely monitored for compliance with organizational policy and
principles of internal control.

As auditor, all access and privileges granted to every individual should be verified. Policies
in separating incompatible functions must be consistent in accordance with the
organizations policy.

AUDIT PROCEDURES RELATING TO ACCESS PRIVILEGES

To attain the above objectives, the following audit procedures must be in place and
observed:

o Review the organization’s policies for separating incompatible functions and

ensure that they promote reasonable security.

o Review the privileges of a selection of user groups and individuals to determine if

their access rights are appropriate for their job descriptions and positions. The
auditor should verify that individuals are granted access to data and programs
based on their need to know.

o Review personnel records to determine whether privileged employees undergo

an adequately intensive security clearance check in compliance with company
policy.

HECTOR E. JULIANO 22
 LYCEUM
O F A L A B A N G
Km.30, National Road., Tunasan, Muntinlupa City, Philippines
AUDITING IN CIS ENVIRONMENT
Tel. Nos. (02)856-93-23 / (02)856-9246 / (02)403-8248

o Review employee records to determine whether users have formally

acknowledged their responsibility to maintain the confidentiality of company
data.

o Review the users’ permitted log-on times. Permission should be commensurate

with the tasks being performed.

ELECTRONIC DATA INTERCHANGE (EDI)

To coordinate sales and production operations and to maintain an uninterrupted flow of

raw materials, many organizations enter into a trading partner agreement with their
suppliers and customers. This agreement is the foundation for a fully automated business
process called Electronic Data Interchange or EDI. A general definition of EDI is defined
as:

The intercompany exchange of computer-processible business information in

standard format.

ELECTRONIC DATA INTERCHANGE AUDIT TRAIL

In any transaction to be valid, both the customer and the supplier must establish that the
transaction between them are authorized. The following features must be present in
every EDI transaction:

1. EDI trading partners must permit access to private data files. As an example, prices
on the purchase order must be binding to both parties.

2. Control log must be maintained. Control log records the transaction flow through
each phase of the EDI system due to absence of source document.

HECTOR E. JULIANO 23
 LYCEUM
O F A L A B A N G
Km.30, National Road., Tunasan, Muntinlupa City, Philippines
AUDITING IN CIS ENVIRONMENT
Tel. Nos. (02)856-93-23 / (02)856-9246 / (02)403-8248

AUDIT OBJECTIVES RELATED TO EDI

Relative to EDI trail, audit objectives should be the concern of an auditor. These objectives
are as follows:

(1) All EDI transactions are authorized, validated, and in compliance with the
trading partner agreement

(2) No unauthorized organizations gain access to database records.

(3) Authorized trading partners have access only to approved data.

(4) Adequate controls are in place to ensure a complete audit trail of all EDI

transactions.

To attain these objectives, audit procedures must be in place.

AUDIT PROCEDURES RELATED TO EDI

a) Test of authorization and validation - Trading partner identification codes

are verified before transactions are processed.

b) Test of access controls – access to the valid vendor or customer is limited

to authorized employees only.

c) Terms of agreement pertaining to access privileges must be periodically

reconciled against trading partner.

d) Test of audit trail control – transaction log must be present.

HECTOR E. JULIANO 24
 LYCEUM
O F A L A B A N G
Km.30, National Road., Tunasan, Muntinlupa City, Philippines
AUDITING IN CIS ENVIRONMENT
Tel. Nos. (02)856-93-23 / (02)856-9246 / (02)403-8248

PROBLEM SOLVING:

OPERATING SYSTEM AND NETWORK CONTROL

Describe a well-controlled system in terms of access controls for a major insurance
company that equips each salesperson (life, property, and investments) with a laptop.
Each salesperson must transmit sales data daily to corporate headquarters. Further, the
salespeople use their laptops to connect to the company’s e-mail system.

_______________________________________________________________

FINAL

LABORATORY

COMPUTER-ASSISTED AUDIT TOOLS AND TECHNIQUES (CAATTs)

CAATTs, or Computer-Assisted Audit Tool and Techniques refer to the use of technology
to help auditors evaluate controls by extracting and examining relevant data. The table
below serve as a guide to the auditor when implementing CAATTs:

IDENTIFY OBTAIN TEST ARTICULATE

1. 1. 1. 1.
Be forward thinking Ensure you have a Emphasize
Use audit plan to identify about timescales clear plan and conclusions are
where CAATs can be used. for data and understanding of the based on full
resource requests. tests you will population size,
perform. not just a sample
2. 2. 2. of data to add
Focus on recognizing Make sure you use Use the most weight to your

HECTOR E. JULIANO 25
 LYCEUM
O F A L A B A N G
Km.30, National Road., Tunasan, Muntinlupa City, Philippines
AUDITING IN CIS ENVIRONMENT
Tel. Nos. (02)856-93-23 / (02)856-9246 / (02)403-8248

specific audit needs. the data appropriate tool for observations.

requirements your defined testing.
document, keep it 2.
3. relevant to ensure 3.
Identify data necessary to the process is Consider the volume Draw out root
achieve the required repeatable. of data you will be causes, errors
results. testing, this will identified could be
impact required symptoms of
resource and time. larger issues.
4.
Document data
requirements, i.e. the
what, where, how and
who.

CAATTs comes in many forms and each one of them will be discussed here thoroughly.

1. TEST DATA METHOD - is used to establish application integrity by processing

specially prepared sets of input data through production applications that are
under review. The results of each test are compared to predetermined
expectations to obtain an objective assessment of application logic and control
effectiveness.

2. BASE CASE SYSTEM EVALUATION is a variant of the test data approach where set
of test transactions are processed through repeated iterations until valid results
are obtained. Effects are evaluated by comparing current vs. base case results.

3. TRACING - performs an electronic walkthrough of the application’s internal logic.

involves three steps:

4. THE INTEGRATED TEST FACILITY (ITF) - enables the auditor to test an application’s
logic and controls during its normal operation of one or more audit modules
designed into the application during the systems development process.

HECTOR E. JULIANO 26
 LYCEUM
O F A L A B A N G
Km.30, National Road., Tunasan, Muntinlupa City, Philippines
AUDITING IN CIS ENVIRONMENT
Tel. Nos. (02)856-93-23 / (02)856-9246 / (02)403-8248

5. PARALLEL SIMULATION - involves creating a program that simulates key features

or processes of the application and is used to reprocess transactions that the
production application previously processed.

6. EMBEDDED AUDIT MODULE - use one or more programmed modules embedded

in a host application to select transactions that meet predetermined conditions.

7. GENERALIZED AUDIT SOFTWARE - allows auditors to access electronically coded

data files and perform various operations on their contents.

SUBSTANTIVE TESTING TECHNIQUE

Aside from the above-mentioned CAATTs utilize by the auditor in audit engagement,
substantive tests, which are termed as such, are used to substantiate every amounts
appearing in the account balances.

Substantive tests include but are not limited to the following:

1. Determining the correct value of inventory.

2. Determining the accuracy of prepayments and accruals.

3. Confirming accounts receivable with customers.

4. Searching for unrecorded liabilities.

Before substantive tests can be performed, these data must first be extracted from their
host media and presented to the auditor in usable form.

HECTOR E. JULIANO 27
 LYCEUM
O F A L A B A N G
Km.30, National Road., Tunasan, Muntinlupa City, Philippines
AUDITING IN CIS ENVIRONMENT
Tel. Nos. (02)856-93-23 / (02)856-9246 / (02)403-8248

PROBLEM SOLVING:

INPUT CONTROLS AND DATA PROCESSING

A catalog company has hired you to computerize its sales order entry forms
approximately 60 percent of all orders are received over the telephone, with the
remainder received by either mail or fax. The company wants the phone orders to be
input as they are received. The mail and fax orders can be batched together in groups of
50 and submitted for keypunching as they become ready. The following information is
collected for each order:
✓ Customer number (if customer does not have one, one needs to be assigned)
✓ Customer name
✓ Address
✓ Payment method (credit card or money order)
✓ Credit card number and expiration date (if necessary)
✓ Items ordered and quantity
✓ Unit price

REQUIRED:
Determine control techniques to make sure that all orders are entered accurately into the
system. Also, discuss any differences in control measures between the batch and the real-
time processing.

HECTOR E. JULIANO 28
 LYCEUM
O F A L A B A N G
Km.30, National Road., Tunasan, Muntinlupa City, Philippines
AUDITING IN CIS ENVIRONMENT
Tel. Nos. (02)856-93-23 / (02)856-9246 / (02)403-8248

REFERENCES:

1. Davis, et. al., (2011). IT Auditing: Using Control to Protect Information

Assets.
Published by McGraw-Hill/Irwin, New York

2. Hall, James A. (2011). Accounting Information System

Published by Cengage Learning, Ohio

HECTOR E. JULIANO 29