AT - AUDIT IN A COMPUTERIZED ENVIRONMENT

Question 1

What are the characteristics of a Computer Information System?

Answer 1

1. Vulnerability of data and program storage media - Information on computer can easily be changed, leaving no trace of the original content.
2. Consistency of performance - computer processes transactions uniformly
3. Lack of visible transaction trails - data can be entered directly without supporting documents
4. Ease of Access to Data and Computer Program - may be accessed/altered by unauthorized persons.
5. Concentration of Duties - functions that are normally segregated in manual processing are combined in a CIS environment. A properly programmed computer has no tendency/motivation to commit irregularities or conceal its errors.

Question 2

What are the two internal control procedures in a CIS environment?

Answer 2

1. General Controls

2. Application Controls

Question 3

What is General Control? What are its components?

Answer 3

General Control are those control policies and procedures that relate to the OVERALL COMPUTER INFORMATION SYSTEM (CIS), which includes:

1. ) Monitoring Controls
2. ) Organizational controls
3. ) Systems development and documentation controls
4. ) Access Controls
5. ) Data Recovery Controls

Question 4

What are monitoring controls under general controls?

Answer 4

It is designed to ensure that CIS controls are working effectively as planned by periodic evaluation of the adequacy and effectiveness of the overall CIS operations.

Question 5

What are organizational controls under general controls?

Answer 5

It includes the segregation between the user and CIS department and segregation of duties within the CIS department.

1. ) User department initiates transactions, CIS processes these transactions
2. ) Functions within the CIS are segregated - as a minimum, SYSTEMS DEVELOPMENT AND COMPUTER OPERATIONS MUST BE SEGREGATED, and COMPUTER OPERATORS SHOULD NOT PARTICIPATE IN THE PROGRAM DESIGN.

Question 6

Discuss the components of a CIS department.

Answer 6

CIS director - exercises control over CIS operations

SYSTEMS DEVELOPMENT
1. Systems analyst - designs new systems evaluates and improves existing systems and prepares specifications for programmers.

2. Programmer - Guided by specifications of the System Analyst, he writes a program and prepares the computer operating instructions

OPERATIONS
1. Computer operator - Uses the program prepared by the programmer to process transactions

2. Data entry operator - Prepares and verifies input data for processing

OTHER FUNCTIONS
1. Librarian - maintains custody of systems documentation,programs and files

2. Control Group - reviews all input procedures, monitors processing.

Question 7

What are systems development and documentation controls under general controls?

Answer 7

It tests and modifies programs, if needed, by the CIS and user department. It also maintains adequate systems documentation in order to facilitate the use of the program as well as changes that may be made later into the system.

Question 8

What are data recovery controls under general controls?

Answer 8

It provides for the MAINTENANCE OF BACK-UP FILES AND OFF-SITE STORAGE PROCEDURES.

Question 9

What are access controls under general controls?

Answer 9

It involves adequate security controls to protect equipment, files and programs.

Question 10

What are Application controls?

Answer 10

Application controls are those policies and procedures that relate to the SPECIFIC USE OF THE SYSTEM. It is designed to PROVIDE REASONABLE ASSURANCE THAT ALL TRANSACTIONS ARE AUTHORIZED, PROCESSED COMPLETELY ACCURATELY ON A TIMELY BASIS. Its components are:

1. ) Controls over input
2. ) Controls over processing
3. Controls over output

Question 11

What are controls over input? Give examples and explain each.

Answer 11

Controls over input are designed to provide reasonable assurance that DATA SUBMITTED FOR PROCESSING ARE COMPLETE, AUTHORIZED, AND ACCURATELY TRANSLATED INTO MACHINE READABLE FORM. It includes:

1. Key verification - requires data to be entered twice to ensure no key entry errors are made.
2. Field check - Ensures that input data agree with the required field (Ex: must contain 10 numbers for SSS)
3. Validity check - information entered are compared with those in the master file to determine the authenticity of the input (EX : 1 for male, 2 for female, 3 is a wrong input)
4. Self-checking digit - mathematically calculated digit to detect common transitional errors in data submitted for processing
5. Limit check - ensures that data for processing DOES NOT EXCEED A PRE-DETERMINED LIMIT OR A REASONABLE AMOUNT
6. Control totals - Ensures the completeness of data submitted for processing

Question 12

What are controls over processing?

Answer 12

Processing controls are designed to provide reasonable assurance that INPUT DATA ARE PROCESSED ACCURATELY AND THAT DATA ARE NOT LOST.

Question 13

What are controls over output?

Answer 13

Output controls are designed to provide reasonable assurance that results processed are complete accurate and that the outputs are DISTRIBUTED TO AUTHORIZED PERSONNEL ONLY.

Question 14

What are the auditor’s choices when he wants to test the application controls?

Answer 14

1. Audit around the computer

2. CAAT (Computer Assisted Audit Techniques)

Question 15

What is auditing around the computer?

Answer 15

It involves examination of documents and reports to determine the reliability of the system. Input data are simply reconciled with output data to verify the accuracy of processing. It is also known as “BLACK BOX APPROACH” It can only be used when there are visible input documents and detailed output.

Question 16

What are Computer Assisted Audit Techniques?

Answer 16

CAAT aka “WHITE BOX APPROACH” is used when no visible evidence is available. CAAT are computer programs which the auditor uses to process data of audit significance. Common CAAT include:

1. Test Data
2. Integrated Test Facility
3. Parallel Simulation
4. Snapshots
5. Systems control audit review files (SCARF)

Question 17

What is test data?

Answer 17

Test data technique is designed to test the effectiveness of internal control procedures which are incorporated in the client’s computer program.

The auditor PREPARES TEST DATA THAT CONSISTS OF VALID AND INVALID CONDITIONS and enters these into the auditee’s computer program. The auditor should know how the output should look like, assuming the client’s program functions effectively. The expected output and actual output are then compared to determine the reliability of the program.

Its disadvantage is that the AUDITOR DOES NOT HAVE AN ASSURANCE THAT THE PROGRAM TESTED IS THE SAME PROGRAM THE AUDITEE USED THROUGHOUT THE ACCOUNTING PERIOD.

Question 18

What is integrated test facility?

Answer 18

ITF integrates the processing of test data with the actual processing of ordinary transactions WITHOUT MANAGEMENT BEING AWARE OF THE TESTING PROCESS. The auditor creates dummy/fictitious accounts in testing within the auditee’s computer system.

Its disadvantage is that it may CONTAMINATE THE MASTER FILE.

Question 19

What is parallel simulation?

Answer 19

Parallel simulation requires the auditor to WRITE A PROGRAM THAT SIMULATES KEY FEATURES/PROCESSES OF THE PROGRAM UNDER REVIEW. The simulated program is then used to REPROCESS TRANSACTIONS PREVIOUSLY PROCESSED BY THE CLIENT’S PROGRAM. The auditor then compares the results obtained. Parallel simulation can be done by using either:

1. Generalized audit software - consists of generally available computer packages designed to perform common audit tasks
2. Purpose-written programs - designed to perform audit tasks in specific circumstances.

Question 20

What are snapshots?

Answer 20

Snapshots is an audit technique which involves taking a picture of a transaction as it flows through the computer systems, permitting the auditor to track data and evaluate the computer processes applied to the data.

Question 21

What is SCARF?

Answer 21

Systems control audit review files is a technique involving embedding audit software modules within an application system to provide continuous monitoring of the systems transactions. The information collected is sent to a special computer file that the auditor can examine.