What is a computerized information system?

*Information system - collection, processing, storing, and distributing information

*Example: MQC (grades -> teacher process grades -> store (registrar) -> online portal)

MQC (cash collected from students->finance/accounting-> store (computer) -> FS (cash)

CIS vs Manual Accounting

1. Meaning

*Columnar Journal, worksheet vs Quickbooks

*Practice Set

2. Recording

*You cannot record a transaction without the books at hand vs Quickbooks (mobile app/laptop)

3. Calculation

*Prone to error vs more accurate information

*Sample (Quickbooks Journal Entry and Sales Invoice)

Almost all entities employ computerized accounting system as compared to manual

*Quickbooks/Xero/SAP others

*Accountants work made easy but auditors are challenged

Characteristics of Computerized Accounting Systems

Both advantage and disadvantage

Lack of Visible Transaction Trail - one of the reason why auditors having a hard time

1. Manual (physical paper) vs CIS virtual documents ( pdf invoice)- cannot be read without a
computer.

• Auditors need pdf reader and other software to read the documents)

2. Sample Sale Transactions via quickbooks

Consistency of Performance

1. Programmed (AI technology)- Uniform manner (less clerical errors)

2. If programmed incorrectly, errors are also consistent (controls)

Ease of Access to data and computer Program

 1. Data can be altered without evidence (in paper there is a trace)

2. Controls : Passwords and audit trails (history)

Concentration of Duties

1. Recording/Disbursement in Manual Accounting (Lapping/Fraud) vs Automated (Bill Pay and

recording) -

2. Incompatible duties can be combined in a CIS environment, cost benefit

3. AI has no motivation to commit fraud

System Generated Transactions

1. Automated transactions - depreciation, recurring expenses (Utilities etc)/Late fees

2. Journal Entries automation

Vulnerability of Data and program storage media

1. Manual – info are destroyed by fire or deterioration but there are much more safer and not easy
to alter

2. CIS - Easy deletion, Virus or corrupt (BDO)

Internal Control in a CIS Environment

- Prevent something from happening (safeguard) frauds, errors (factory :quality control)

*authorization

*segregation of duties

*recalculation/checking

General Controls

1. These relates to the overall computer information system

a. Segregation between the CIS department and the users

- CIS/IT dept separated to users and all departments (sales, purchasing department, etc)

- To avoid fraud – user want to commit fraud , he can do it if he has duties as well in the CIS Dept

b. Segregation of duties within the CIS department

Input data - salaries, collections, billings

Systems Development Team

While systems analysts design and develop software and computer systems,
Computer Programmers are responsible for implementing designs by writing computer programs.

Architect and Engineer

Computer Operations Team

• Computer Operator - processor (from the initiation of a user department)

• Data Entry Operator - (automated)

OTHER FUNCTIONS

• Librarian – cloud (today)

• Control Group- internal auditor of the CIS department

• Drawbacks = very costly

• In today’s time these are replaced by machines

Systems Development and Documentation Control

For Old system:

- any changes in the system should be approved by the users and management

For new systems:

- PILOT TESTING is defined as a type of Software Testing that verifies a component of the system
or the entire system under a real-time operating condition.

- see the error before implementing

- CIS and user are involved

- User’ Manual

- Flowchart

Documentation Control

The collection of documents that describes the requirements, capabilities, limitations, design, operation,
and maintenance of a system, such as a communications, computing, or information processing system

- Important in case of termination or audit of control group

Access Control
 • Password (Show QB log in)

• Pass on files (MS Security)

Data Recovery Control – back up files and off site storage procedures

- Computer files are copied Daily and store them OFF SITE (USB disket)

- Cloudbased technology (online) google drive , dropbox , built in system (quickbooks online)

- Grandfather – father son

Grandfather – monthly (Offsite or cloud)

Father - more frequent (weekly) stored locally easily accessed

Son - daily back up stored locally

In the traditional GFS approach, a full backup is completed on the same day of each month (for example,
the last day of each month or the fourth Friday of each month—however you want to define it). This is
the “grandfather” cycle. It’s best practice to store this backup off-site or in the cloud. This also helps
satisfy the off-site requirement of a 3-2-1 strategy.

Next, another full backup is set to run on a more frequent basis, like weekly. Again, you can define when
exactly this full backup should take place, keeping in mind your business’s bandwidth requirements.
(Because full backups will most definitely tie up your network for a while!) This is the “father” cycle, and,
ideally, your backup should be stored locally and/or in hot cloud storage, like Backblaze B2 Cloud
Storage, where it can be quickly and easily accessed if needed.

Last, plan to cover your bases with daily incremental backups. These are the “son” backups, and they
should be stored in the same location as your “father” backups.

Monitoring Controls

• Periodic Evaluation and assessment – may conducted by an external IT Auditor

Application control – specific use of a system or software

- all transactions are authorized, complete, accurate and timely

1. Processing of Transactions in CIS Environment

a. Input - capturing/entering of transactions in the system (conversion of human readable

information to computer readable)

- In CIS, typing of transactions (raw data/ details of it)

- Crucial because this is the raw material, prone to error,(manual)

b. Process – conversion of raw data to useful information

- Automatic posting to the journal ,ledger, sub ledger (as programmed by the system analyst)

c. Output – preparation of different kind of reports (IS, BS, Aging)

2. You should have “controls” – safeguards in of these 3 processes. (completeness and accuracy ,
timeliness)

Specific app, or program you are using (Xero Quickbooks)

- goal : completeness and accuracy of the records/validity of the entries made,

1. Input Control

- data should be properly authorized and approved

- human readable data to computer readable data

- prone to error – that is why we need control

- reasonable assurance that the data submitted for processing are complete, authorized accurate

Preventive control/Origination controls

A. Key Verification

- Data are entered twice (usually by different person) to secure that there are no key entry committed.

B. Field Check - a certain field is designed to contain only specific data (numbers
/letters/alphanumeric)

- (QTY = Number, Price = Number, invoices (invoice number, customer number)

- error will be detected and error message will appear

- missing data check

- duplicates are also avoided

- field size

C. Validity Check – Comparison with valid information in the master file to determine
“authenticity” of the input.

- There is already a predetermined or file that contains the “ valid information”

- Inputting payroll expenses for current employees (not ghost employee)

- look up check
 D. Self Checking Digit - mathematically calculated Digit which is usually added to a document
number to detect error

- secret formula. No one knows bout this only the programmers

• letter/digit errors, such as l → 1 or O → 0

• transposition errors, such as 12 → 21

• twin errors, such as 11 → 22

• jump transpositions errors, such as 132 → 231

• phonetic errors, such as 60 → 16

• Transplacement 1,234 > 123.40

E. Limit Check - data do not exceed predetermined amount/limit or reasonable amount/number

of characters (sample) - quantitative in nature

- Invoice numbers have 4 digits, SSS number have 8 digits

F. Control Totals - totals are automatically calculated by the system to ensure completeness

 Financial Totals – limit or to avoid overage or deficit

 Hash Totals - A method for ensuring that data have not been altered
(manually comparison), sum of document number/meaningless for
financial purposes

 Record Counts - number of document processed in a batch, before the

information on the documents is entered the user counts how many
documents there are. Then manually compare to the computer
generated batch total

Batch Total Input Control – The sum of a particular field in a collection of items used as a control total to
ensure that all data has been entered into the computer (completeness)

Processing Controls

Why do we need processing controls? if input controls fails or not detected errors, hoping it be caught
on the processing controls

Error/Report or Exception Report:

Where these processing controls embedded in the system, during the development stage of the system
(programmer)/incorporated in the system

Processing Controls – provide reasonable assurance that the input data are processed accurately , and
that the data are not lost , excluded , duplicated, or improperly changed. Almost all Input controls are
also processing controls
All input controls are processing controls as well.

1. Integrity test/ Validity Check (input control) - is the transaction appropriate to process? (is this
employee existing?)

2. Sequence test – Transactions are in a correct and complete sequence (check #)\

3. Input Control totals verification - Has a built in software that recalculates totals in the in input
phase

4. Label Checks – prevent processing the wrong file

- Must be properly programmed in the system

5. Limit and Reasonable checks – if the amount is unreasonable or beyond the predetermined
limit. The application will not process

6. Matching control – they system will not process unless all documents are in the system (3 way
matching . PO + Rec Report + Vendor Invoice)

Output Controls – provide reasonable assurance that the results of processing (FS or other reports) are
complete, accurate and MUST BE DISTRIBUTED ONLY TO AUTHORIZED USERS

If we did not caught the errors in the input and processing controls

- post processing step

- reviewer somehow knowledgeable at the output

1. Visual Review - PL monthly (trends)/ recalculation

2. Output comparison to original documents - random comparison (sales invoices vs sales in PL),
number of docs processed vs submitted for processing (sampling, no error should be seen)

3. Output distribution control (salary report confidential)

Test of Control = Intro (Consideration of Internal Control)

*Consideration of Internal Control

*Understanding and Assessment of Internal Control

*Test of Control - has an effect on NTE of substantive testing

Application controls - since these pertain to the program only

General Controls - Physical Observation, systems documentation checks, checking access controls etc.

Auditing around the computer (testing from the outside) – Used in Less Complex IT
Environment/Simple IT (not reliant to IT)
 - 3 main phases (Input , Process, Output)

- FOCUS - INPUT and OUTPUT (PROCESS - ignore)

- Process (blinded) - that is why it is called black box approach

- Data – client/auditee, Processing – client/auditee

• Input data are simply reconciled with the computer output to verify the accuracy of processing. (Data
(Input) > System > Output)

• Assumption: If the input reconciles with the output, then the computer program must have processed
the transaction accurately. (without testing the actual system)

• Blackbox approach/testing – visible input documents (paper) and detailed output that will enable the
auditor to trace individual transactions back and forth.

Example : Invoice (QB)

Auditing through the computer (CAATS)

- More Complex Environment (everything is electronic)

- Focus : If the Input and Process is good you assume that the output is good

- has visibility (white box approach)

CAATS - computer assisted (use of a computer)

Program Testing

- literally testing the program

Program Analysis

- more complex, IT language, scripts etc.

Historical Audit Techniques VS. Continuous Audit Techniques

- Auditors are contracted ANYTIME during the year (beg or after)

- More likely , FS audit (historical- already done)

- Possible (beginning), Continuous audit techniques, real time audit (every transaction are audited AS IT
HAPPENS) by the use of embedded softwares

Test Data Approach

- Testing data in the system

Questions :

Whose Data to be used? Auditor

Whose system/software you using? – Client/Auditee

are

Data = valid and invalid > fictitious data (dummy/has intentional errors) created by the auditors
(Expectation/Behavior on the output already) (NO REAL CLIENT DATA Involved)

Process/System = Program by the auditee client

Data:

Expectation vs Reality

- Auditors has Expectation to accept or reject certain transactions

- Auditor should think scenarios a (realistic) like fraud or error based on his understanding of the
business

Example:

(employee number , sales over credit limit, excess hours) –

80 hours a week

Valid: 80 hours, 78 hours

Invalid: 81 hours, 82 Hours (if processed, weak internal system, extensive testing)

- If not caught , the processing is wrong

- Is it the same with Blackbox approach?? No because we are using Auditors data own data.

Advantages:

1. Simple to operateRequires limited technical knowledge

2. Helps the auditor learn how the system operates

Disadvantages:

1. Live testing is dangerous as it may contaminate client files/ Do not forget to ELIMINATE or REVERSE
the data

2. Confirms the operation of the program at the time it is tested.

Integrated test facility (Embedded Audit Module Approach

Integrated test facility is a variation of test data technique. The main difference is that instead of
checking the system is not in use, simulated data are added to client's real data and processed
simultaneously during the actual processing.

This is automated and ongoing technique that enables the auditor to test an applications logic and
controls during normal operations

Similar with test data but this time integrated in the program (embedded)

- (Unlike Test data = separate, run independently)

Data = both auditor and client (sabay) (valid and invalid fictitious transactions)

System = The actual system by the auditee/client

Advantages:

1. Continuous monitoring of controls

2. Testing without interrupting the client operations and without the intervention of client
personnel

3. Testing can be scheduled and unknown to other staff

Disadvantages

1. Contamination of client data

Parallel Simulation

Not really auditing through a computer (parallel lines)

Data = Actual Client’s Data

System = Auditor system (work the same based on logic - develop by the auditor or a programmer)

Separate Processing (do separate things)

Expectation = same results

Auditor’s system:

Purpose Written Programs / Generalized Audit Software

Data Client > Auditor’s Program (GAS/PWP) > Output

Data Client > Client’s Program (GAS/PWP) > Output

Output vs. Output

How does GAS and PWP works

GAS/PWP (insert > Extract Client Data > Reprocess/Recalculate)

Excel

- Extract the data from the computer system

- Sort, Age, Analyze

- Recalculating amounts

Reconcile your findings to their actual result (since you know what it should look like)

Controlled Reprocessing

Difference

PS - own by Auditor GAS/PWP

CR - copy of client’s program

- But the processing is still separate