AUDIT UNDER COMPUTERISED INFORMATION

SYSTEM (CIS) ENVIRONMENT

Introduction
Information Technology throughout the world has revolutionized and dramatically
changed the manner in which the business is conducted today. Computerization has a
significant effect on organization control, flow of document information processing and
so on. Auditing in a CIS environment even though has not changed the fundamental
nature of auditing; it has definitely caused substantial changes in the method of evidence
collection and evaluation. This also requires auditors to become knowledge about
computer environment (Hardware, software etc.) and keep pace with rapidly changing
technology, even to the extent of using sophisticated Audit software. Students are advised
to study the technical issue relating to Information Technology from the study material of
paper

Scope of Audit in a CIS Environment

Impact of computerisation on audit approach needs consideration of the following
factors:

(1) High speed - In a CIS environment information can be generated very quickly. Even
complex reports in specific report format can be generated for audit purposes without
much loss of time. These cuts down the time enabling the auditor to extend their
analytical review for under coverage with high speed of operation, the Auditor can
expand their substantive procedures for collection of more evidence in support of their
judgement.

(2) Low clerical error - Computerised operation being a systematic and sequential
programmed course of action the changes of commission of error is considerably
reduced. Clerical error is highly minimised.

(3) Concentration of duties - In a manual environment the auditor needs to deploy

separate individuals for carrying out the verification process. In a CIS environment, the
traditional approach does not apply in many cases, as computer programs perform more
than one set of activities at a time thereby concentrating the duties of several personnel
involved in the work.

(4) Shifting of internal control base -

(i) Application systems development control - Systems development control should be
designed to provide reasonable assurance that they are developed in an authorised and
efficient manner, to establish control, over:
a) Testing, conversion, implementation, and documentation of new revised system.
b) Changes to application system.
c) Access to system documentation.
d) Acquisition of application system from third parties.
(ii) Systems software control - Systems software controls are designed to provide
reasonable assurance that system software is acquired or developed in an authorised and
efficient manner including:
a) Authorisation, approval testing, implementation and documentation of new
system software systems software modifications.
b) Putting restriction of access to system software and documentation to authorised
personnel.

(5) Disappearance of manual reasonableness - The shift from traditional manual

information processing environment to computerised information systems environment
needs a detailed analysis of the physical system for transformation into a logical platform.
In creating such logical models many stages required under manual operations are either
deleted or managed to create a focused computer system. In such creative effort, the
manual reasonableness may be missing.

(6) Impact of poor system - If system analysis and designs falls short of expected
standard of performance, a computerised information system environment may do more
harm to integrated business operation than good. Thus, care has to be taken in adopting
manual operations switch-over to computerised operations for ensuring performance
quality standards.

(7) Exception reporting - This is a part of Management information system. Exception

Reporting is a departure from straight reporting of all variables. Here the value of a
variable is only reported if it lies outside some pre-determined normal range. This form
of reporting and analysis is familiar to the accountant. The main strength of exception
reporting lies in its recognition that to be effective information must be selectivity
provided.

(8) Man-machine interface / human-computer interaction –

Man-machine interface ensures maximum effectiveness of the information system.

Organisation concentrated on presenting information that is required by the user and to
present that information in the most uncluttered way. It is required to determine what
information was necessary to achieve through a careful analysis of the job or task for
which the user needed the information.

Human-computer interaction is a discipline concerned with the design, evaluation and

implementation of interactive computing systems for human use and with the study of the
major phenomena, surrounding them. The approach is user centred and integrates
knowledge from a wide range of disciplines.

Impact of Changes on Business Processes (For Shifting From Manual to Electronic

Medium)
The effect of changes on accounting process may be stated as under:
 Primary Changes
(1) Process of recording transactions - The process of recording transaction undergoes
a major change when accounting process are computerised under CIS environment, the
order of recording transaction from basic document to prime books and finally to
principal book may not be followed strictly in sequential from as is observed in manual
system. In many cases all the three processes Prime book of Entry →Ledger →Final
accounts (Balance Sheet and Profit and Loss Account) are carried on simultaneously.

(2) From of accounting records - Mechanisation often results in the abandonment in

whole or in part of the primary records. Punch card installation or electronic data
processor changes the form of both intermediate and ultimate records much more
radically than manual records.

(3) Use of loose-leaf stationeries - Bound hand written records as used in manual
accounting processes are replaced by loose-leaf machine written records in electronic
medium. In a computerised information system, magnetic tapes, floppy disks, diskettes,
printouts replace the traditional records. This necessarily require proper control over such
records to prevent their unauthorised us, destruction or substitution.

(4) Use of accounting code – In computerised information systems, alpha-numeric codes

are extensively used to represent names and description. The accountants as well as the
Auditors have to get themselves familiarised with the use of such codes which initially
may pose considerable problems in understanding the various transactions.

(5) Absence of link between transactions - In a computerised information system

environment, there may be an inadequacy or even total absence of cross-reference
between the basic documents, primary records and the principal records. This creates
special problems for the auditors. The auditors may find it difficult to trace a transaction
from start to finish there by having a doubt in their mind as to loss of audit trials.

Recent Changes
The growth and development in the field of information technology is a fast paced one
and unless the auditors are alert to such developments and take pre- emptive action in
upgrading their knowledge, they may find difficulty in coping with such advancement.

Following are a few instance of the recent changes which the may need to be addressed in
discharging their responsibilities in such environment:
a. Mainframes are substituted by mini/micro users.
b. There is a shift from proprietary operating system to more universal ones like
UNIX, LINUX, programming in 'C' etc.
c. Relational Date Base Management (RDBMS) are increasingly being used.
d. The methodology adopted for systems development is becoming crucial and
CASE (Computer Aided Software Engineering) tools are being used by many
organisation.
e. End user computing is on the increase resulting in decentralized data processing.
f. The need for data communication and networking is increasing.
 g. Common business documents are getting replaced by paperless electronic data
interface (EDI).
h. Conventional data entry giving way to scanner, digitized image processes, voice
recognition system etc.

The Impact of all such change on auditing may be summarised as:

a) Wide- spread end-user computing may result in unintentional errors creeping into
systems owing to inept handling. Also coordinated program modification may not
be possible.
b) Improper use of decision support system can have serious repercussion. Also their
underlying assumption must be clearly documented.
c) Usage of sophisticated audit software would be a necessity.
d) Auditors non-participation at System Development Life Cycle State (SDLC) pose
considerable problem in understanding the operational controls.
e) Data communication and net working would introduce new audit risk.
f) The move toward paperless EDI would eliminate much of the traditional audit
trail radically changing the nature of audit trails.

Audit Approach in a CIS Environment

Based on The knowledge and expertise of Auditors in handling computerised data, the
audit approach in a CIS environment could be either:
a) A Black-box approach i.e., Auditing around the computer, or
b) A White-box approach i.e., Auditing through the computer.

a. The Black Box Approach

Auditing around the Computer
Compare with Client Output
Auditors
Predetermined Output
In the Black box approach or Auditing around the computer, the Auditor concentrates on
input and output and ignores the specifics of how computer process the data or
transactions. If input matches the output, the auditor assumes that the processing of
transaction/data must have been correct.
In testing, say, Payroll Application, the auditor might first examine selected time cards
for hours worked and employee earning cards for rates and then trace these to the payroll
summary output and finally compare hours, rates and extensions. The comparison of
inputs and outputs may be done manually with the assistance of the computer. The
computer assisted approach has the advantage of permitting the auditor to make more
comparisons than would be possible, if done manually. Auditing around the computer has
the advantage of ease of comprehension as the tracing of documents to output does not
require any in-depth study of application program. A major disadvantage, however, is
that the auditor not having directly tested the control, cannot make assertions about the
underlying process. Moreover, in some of the more complex computer systems
intermediate printout may not be available for making the needed comparisons.

B. The White Box Approach

Auditor’s
Input CPU Client Output
Auditing through the Computer
Compare with
Client Output
Predetermined Output
The processes and controls surrounding the subject are not only subject to audit but also
the processing controls operating over this process are investigated. In order to help the
auditor to gain access to these processes computer Audit software may be used. These
packages may typically contain:
i. Interactive enquiry facilities to interrogate files.
ii. Facilities to analyze computer security logs for unusual usage of the computer.
iii. The ability to compare source and object (compiled) program codes in order to
detect dissimilarities.
iv. The facility to execute and observe the computer treatment of "live transaction"
by moving through the processing as it occurs.
v. The generation of test data.
vi. The generation of aids showing the logs of application programs. The actual
controls and the higher level control will be evaluated and then subjected to
compliance testing and, if necessary, substantive testing before an audit report is
produced.

It is obvious, that to follow this approach the auditor needs to have sufficient knowledge
of computers to plan, direct-supervise and review the work performed.
The areas covered in an audit will concentrate on the following controls:
(1) Input controls,
(2) Processing control,
(3) Storage control,
(4) Output control and
(5) Data transmission control.
The auditor will also need to be satisfied that there are adequate controls over the
prevention of unauthorised access to the computer and the computerised database. The
auditors task will also involve consideration of the separation of functions between staff
involves in transaction processing and the computerised system and ensuring that
adequate supervision of personnel is administered.
The process of auditing is not a straight forward flow of work from start to finish to be
completed by satisfying oneself against a standard checklist or a list of questions. It
involves exposure, experiences and application of knowledge and expertise to differing
circumstances.
No two information system is same. From the view point of analysis of computerised
information system, the auditors need not only have adequacy on knowledge regarding
information requirement and computer data security they must also get exposed to system
analysis and design so as to facilitate post implementation audit.
Types of Computer Systems
There is large variety of computer systems applicable to accounting and other type of
information processing. The nature and type of system affect the various types of controls
for its efficient and effective functioning Computer System may be broadly classified as
under:
1. System configuration, and
2. Processing systems.

SYSTEMS CONFIGURATION
System configuration may be classified as:

(1) Large system computers - In large system computers, the processing task of multiple
user is performed on a single centralised computer, i.e., all inputs move directly from the
terminal to central processors and after processing goes back to users from central
processors. All the terminals in these systems were called 'dumb terminals' as these
terminals were not capable of processing data on their own and casually serve only as
input/output terminals. With time, these systems have become more efficient and
sophisticated. In many instances dumb terminals have given way to intelligent terminals
i.e., allowing data processing at local levels.

(2) Stand alone personal computers - A stand alone system is one that is not connected
to or does not communicate with another computer system. Computing is done by an
individual at a time. All input data and its processing takes place on the machine itself.
Many small business rely on personal computers for all their accounting functions.

(3) Network computing system - A network is a group of interconnected system sharing

services and interacting by a shared communication links. All networks have something
to share, a transmission medium and rules for communication. Network share hardware
and software resources. Hardware resources include:
i. Client Server - A server in a network is dedicated to perform specific tasks
to support other computers on the network. Common types of servers are:
ii. File Server - File servers are the network applications that store, retrieve
and move data.
iii. Data base server - Most of the data base are client server based. Database
servers provide a powerful facility to process data.
iv. Message Server - They provide a variety of communication methods which
takes the form of graphics, digitized audio/video etc.,
v. Prints Server - Print server manages print services on the network.
Software resource sharing provides a facility to share information in the
organisation.

The networks can also be classified on the basis of areas covered. Software resources
include:

(1) Local area network - In a local area network (LAN), two or more computers located
within a small well-defined area such as room, office or campus are connected through
cables. One of the computers acts as the server; it stores the program and data files
centrally. These programs and data files can be accessed by the other computers forming
part of the LAN. LAN provide the additional advantage of sharing programs, data and
physical resources like hard disks peripherals.

(2) Wide area network - Networks that employ public telecommunications facilities to
provide users with access to the resources of centrally located computers. A WAN uses
the public switched telephone network, high speed fibre optic cable, ratio links or the
internet. When a LAN extends in the metropolitan area using the WAN technology, it is
called Metropolitan Area Network (MAN).
WAN uses modem to connect computers over telephone lines (PSTN) PSTN system
transfer analog signals. Therefore, public telephone systems are not appropriate to
connect computers. Modems are used to convert analog signals into digital and vice
versa.

(3) Distributed data processing - The term has been used to cover many varieties of
computer system. It consists of hardware located at least two geographically distinct sites
connected electronically by telecommunications where processing / data storage occur at
two or more than one sites. The main computer and the decentralised units communicate
via communication links. A more integrated connection occur with 'cooperative
processing where processing is handled by two cooperating geographically distinct
processors. One processor send the output of its processing to another for completion.
The system becomes more complex, where operating system of both machines is
different. Cooperative operating system may be required under such situation.

(4) Electronic data interchange (EDI) - EDI can be defined as:

The transfer of electronic data from one organisations computer system to another's, the
data being structured in a commonly agreed format so that it is directly usable by the
receiving organisation computer system.
EDI may be introduced where a group of organisations wish to ensure that electronic
transactions are passed between one another. EDI groups require EDI services in order to
effect the data exchanges. These are often provided by a third party in more than merely
the transmission of the data. By providing these services the third party adds value to the
data transmission and is thus called value added network (VAN). The following benefits
accrue under EDI systems.
a. The speed with which an inter-organisational transaction is processed is
minimised.
b. The paperwork involved in transaction processing is eliminated.
c. The costs of transaction processing are reduced, as much of the need for human
interpretation and processing is removed.
d. Reduced human involvement reduces error.
PROCESSING SYSTEM
Transaction processing systems include:
(1) Batch processing - Under batch processing a large volume of homologous
transactions are aggregated and processed periodically. There are four steps in batch
processing.
(a) Occurrence of transaction - The occurrence of business events is recorded in the
source document.
(b) Recorded in a Transaction file - A batch of source is periodically transferred to the
data entry operator to extract information from the source document and enter it into the
computer format. Data entry is usually done off line. The computerised format is the
transaction file to be processed in the system. Once the data entry is done, the records
entered are confirmed with the source document. Once the records are checked, the
source documents are stored separately for future reference.
(c)Updating of Master file - After all the data is entered in the system and it is processed
and summarised, the master files are updated.
(d) Generation of output - After processing and master file updating, the report, as
required are periodically generated.
Batch processing system is used for processing large volumes of repetitive transactions
where control considerations and efficient utilisation of computing capacity are
important.

(2) On Line Processing System - One line processing refers to processing of individual
transactions as they occur from their point of origin as opposed to accumulating them into
batches. This is possible by direct access devices such as magnetic disk and number of
terminals connected to and controlled by central processors. In this way, various
departments in a company can be connected to the processor by cables.
Apart from transaction processing and file updating, inquires are also handled by the on-
line processing system. On-line processing ensures that the records are in a updated status
at any time whereas this is not so with batch processing, but the fact remains that online
processing is costly.

(3) Interactive Processing - Under this processing mode, a continuous dialogue exists
between the user and the computer. It is also called 'transaction driven' processing as
transactions dealt with completely on an individual basis through all the relevant
processing operations before dealing with the next transaction occur and enquiries to be
dealt with on an immediate response basis.

(4) On-line real time processing - The term ' Real Time' refers to the technique of
updating files with transaction data immediately after the occurrence of the event. Real
time system is basically on-line system with one speciality in enquiry processing. The
response of the system to the enquiry itself is used to control the activity. The response of
a real time system is one type of feed back control system. The response time would
naturally differ from one activity to another. Real time system usually operates in multi-
programming and multi-processing. This increases both availability and reliability of the
system. CPU's in real time systems should possess the capability of 'Program Interrupts'.
These are temporary stoppage of halts in the execution of a program so that more urgent
message can be handled on priority. Some computer systems are dedicated to real time
operations and others are designed to operate in both batch and real time modes so that
they can also serve as stand by units to each other.

(5) Time Sharing - A time-sharing allows access to a CPU and files through many
remote terminals. Multiprogramming is the method of implementing time shared
operations. In transaction processing, time sharing occurs when a computer processes
transactions of more than one entity.

(6) Service Bureau - A service bureau is a company that processes transaction for other
entities. Such units may handle the computer processing for small companies that singly
do not have sufficient transactions to justify the acquisition of a computer.

Advanced processing system further includes:

(a) Decision Support System - A Decision Support System (DSS) can be defined as a
system that solving provided tools to managers to assist them in soloing semi-structured
and an unstructured problem. A DSS is not intended to make decisions for managers, but
rather to provide managers with a set of capabilities that enables them to generate the
information that is required by them for decision making. In other words, a DSS supports
the human decision making process, rather then providing a means to replace it.
The decision-support system are characterised by:
i. They support semi-structured or unstructured decision making
ii. They are flexible enough to respond to the changing needs of decision makers,
and,
iii. They are easy to operate.

A decision-support system has 4 basic components:

i. The Users – represent managers at any given level of authority in the
organisation.
ii. Data bases – contains both routine and non-routine data from both internal and
external sources.
iii. Planning Language – include general purpose planning language like spread
sheets/special purpose planning languages, SAS, SPSS, etc;
iv. Model Base – Model base is the 'Brain' of the decision support system because it
perform data manipulations and computations with the data provided by the user
and data base.
(b) Expert System - An expert system a computerised information system that allows
non experts to make decision comparable to that of an expert. Expert system are used for
complex or ill structured tasks that require experience and special knowledge in specific
subject areas.
As expert system typically contains

(i) Knowledge Base - This includes data, knowledge, relationships, rules of thumb to and
decision rules used by experts to solve a particular type of problem. A knowledge base is
the computer equivalent of all the knowledge and insight that an expert or a group of
experts develop through years of experience in their field.
(ii) Inference Engine - This program contain the logic and reasoning mechanisms that
stimulate the expert system logic process and deliver advice. It uses data obtained from
both the knowledge base and the user to make associations and inference, forms its
conclusion and recommends a course of action.

(iii) Use interface - This program allows the user to design, create, update, use and
communicate with the expert system.

(iv) Explanation Facility - This facility provides the user with an explanation of the
logic the expert system use to arrive.

(v) Knowledge acquisition Facility – Building a knowledge base (also called knowledge
engineering), involves both a human expert and a know ledge engineer. The knowledge
engineer is responsible for extracting an individuals expertise and using the knowledge
acquisition facility to enter into the knowledge base.

(7) Integrated File System - These systems update many files simultaneously as
transaction is processed. Processing of a sales order updates the accounts receivable
control accounts and the related subsidiary ledger is also updated and the sales control
and sales details are also posted as the sales order is processed.
Integrated data base system contains a set of interrelated master files that are integrated in
order to reduce data redundancy. The software used to control input processing and
output is referred to as Data Based Management System (DBMS) which handles the
storage, retrieval, updating and maintenance of the data in the data base. Integrated files
are most commonly associated with OLRT (on-line real time) system and pose the
greatest challenge to the Auditor's. Controls within these systems are harder to test and
assess due to the danger of file destruction.
Files may be physically stored on disk in the following way:
 'Sequentially' records are physically ordered by some field (e.g., employee
number).
 'Randomly' records are stored at a physical address computed by an algorithm
working on a field value.
 'Indexed' records are physically stored randomly with a sequentially ordered
index field (e.g. by customer) and a pointer to the physical location of each
record.
 'Indexed Sequential' records are physically stored sequentially ordered by some
field together with an index which provides access by some possibly other field.
If files are required to be processed sequentially, then they may be stored sequentially.
The sequential update of an employee master file by time sheet data is an example.
However, if individuals records are required to be accessed from time to time by some
field e.g. employee name, then one of the other storage method may be used.

Effect of Computers on Internal Controls

Internal control system include separation of duties, delegation of authority and
responsibility, a system of authorisation, adequate documents and records, physical
control over assets and records, management supervision, independent checks on
performance and periodic reconciliation of assets with records. In CIS environment, all
these components must exist but computers affects the implementation of this internal
control in many ways. Some of the effects are as under:

(1) Separation of Duties - In a manual system, different persons are responsible for
carrying out function like initiating, recording of transaction, safeguarding of assets, does
not always apply in a computer system. For example, in a computer system, a program
may carryout reconciliation of vendor invoice against a receipt document and also
prepares a cheque payable to creditors. Such operation through a program will be
considered as incompatible functions in a manual system.
In minicomputer and microcomputer environments, separation of incompatible function
could be even more difficult. Some such forms, allows, users to change programs and
data entry without providing a record of these changes. Thus, it becomes difficult to
determine whether incompatible function have been performed by system users.

(2) Delegation of Authority and Responsibility - A structured authority and

responsibility is an essential control within manual and computer environment. In a
computer system however, a clear line of authority and responsibility might be difficult to
establish because some resources are shared among multiple users. For instance, one
objective of using a data base management system is to provide multiple users with
access to the same data, thereby reducing the control problems that arise with maintaining
redundant data, when multiple users have access to the same data and the integrity of the
data is somehow violated, it is not always easy to trace who is responsible for corrupting
the data and who is responsible for identifying and correcting the error. Some
organisation identified a single user as the owner of the data.

(3) Competent and Trustworthy Personnel - Skilled, competent, well-trained and

experienced in formation system personnel have been in short supply. Since substantial
power is often vested in the person responsible for the computer information system
development, implementation, operation and maintenance within the organisation,
competent and trustworthy personnel is very much in demand. Unfortunately, the non
availability of competent personnel, forced many organisation to compromise on their
choice of staff.
Moreover, it is not always easy for organisation to assess the competence and integrity of
their system staff. High turnover among those staff has been the norm. Some information
systems personnel lack a well developed sense of ethics and some enjoy in subverting
controls.

(4) System of Authorisation - Management authorisation of transaction may be either:

a) General authorisation to establish policies for the organisation,
b) Specific authorisation applying to individual transactions. In manual system, auditors
evaluate the adequacy of procedures for authorisation by examining the work of
employees. In a computer system, authorisation procedures often are embedded within a
computer program. In a computer system, it is also more difficult to assess whether the
authority assigned to individual persons is constant with managements policies. Thus, in
evaluating the adequacy of authorisation procedures, auditors have to examine not only
the work of employees but also the variety of the programme processing.

(5) Adequate Documents and Records - In a manual system, adequate documents and
records are required to provide an audit trail of activities within the system. In computer
system, document support might not be necessary to initiate, execute and records some
transaction. The task of a visible audit trail is not a problem for auditors; provided the
systems have been designed to maintain a record of all events and that they are easily
accessible. In well-designed computer systems, audit trails are more extensive than those
maintained in manual systems unfortunately not all computer systems are well designed.
This creates a serious control problem.

(6) Physical Control over Assets and Records - Physical access to assets and records is
critical in both manual systems and computer system. In a computer system the
information system assets and records may be concentrated at a single site. The
concentration of information systems assets and record also increases the losses that can
arise from computer abuse or disaster. If the organisation does not have another suitable
backup, it might be unable to continue operations.

(7) Adequate Management Supervision - In a computer system, supervision of

employee might have to be carried out remotely. Supervisory controls must be built into
the computer system to compensate for the controls that usually can be exercised through
observation and in inquiring computer system also make the activities of employees less
visible to management. Because many activities are electronically controlled managers
must periodically access the audit trial of employee activities and examine it for
unauthorised actions.

(8) Independent Checks On Performance - Checks by an independent person help to

detect any errors or irregularities. In a computer system, if a program code is authorised
accurate, and complete the system will always follow the laid down procedures in
absence of other type of failures like hardware or systems software failure. Thus,
independent checks on the performance of programs often have little value. Instead, the
control emphasis shifts to ensuring the veracity of programme code. Auditors must now
evaluate the controls established for program development, modification operation and
maintenance.

(9) Comparing Recorded Accountability with Assets - In a manual system,

independent staff prepares the basic data used for comparison purposes. In a computer
system software is used to prepare this data. If unauthorised modifications occur to the
program or the data files that the program uses, an irregularity might not be discovered,
because traditional separation of duties no longer applies to the data being prepared for
comparison purposes.

Effects of Computers on Auditing

The objective of auditing, do not undergo a sea change in a CIS environment. Auditor
must provide a competent, independent opinion as to whether the financial statements
records and report a true and fair view of the state of affairs of an entity. However,
computer systems have affected how auditors need to collect and evaluate evidence.
These aspects are discussed below:

(1) Changes to Evidence Collection - Collecting evidence on the reliability of a

computer system is often more complex than collecting evidence on the reliability of a
manual system.
Auditors have to face a diverse and complex range of internal control technology that did
not exist in manual system, like:
a. Accurate and complete operations of a disk drive may require a set of
hardware controls not required in manual system,
b. System development control includes procedures for testing programs that
again are not necessary in manual control.
Since, Hardware and Software develop quite rapidly, understanding the control
technology is not easy. With increasing use of data communication for data transfer,
research is focussed a cryptographic controls to project the privacy of data. Unless
auditor's keep up with these developments, it will become difficult to evaluate the
reliability of communication network competently.
The continuing and rapid development of control technology also makes it more difficult
for auditors to collect evidence on the reliability of controls. Even collection of audit
evidence through manual means is not possible. Hence, auditors have to run through
computer system themselves if they are to collect the necessary evidence. Though
generalized audit software are available the development of these tools cannot be relied
upon due to lack of information. Often auditors are forced to compromise in some way
when performing the evidence collection

(2) Changes to Evidence Evaluation - With increasing complexity of computer systems

and control technology, it is becoming more and more difficult for the auditors to
evaluate the consequences of strength and weaknesses of control mechanism for placing
overall reliability on the system.
Auditors need to understand:
a) Whether a control is functioning reliably or multi functioning,
b) Traceability of control strength and weakness through the system.
In a shared data environment a single input transaction may update multiple data item
used by diverse, physically disparate user, which may be difficult to understand.
Consequences of errors in a computer system are a serious matter as errors in computer
system tend to be deterministic, i.e., an erroneous program will always execute data
incorrectly. Moreover, the errors are generated at high speed and the cost and effort to
correct and rerun program may be high. Errors in computer program can involve
extensive redesign and reprogramming. Thus, internal controls that ensure high quality
computer systems should be designed implemented and operated upon. The auditors must
ensure that these control are sufficient to maintain assets safeguarding, data integrity,
system effectiveness and system efficiency and that they are in position and functioning.
Internal Controls in a CIS Environment
Internal control is an essential prerequisite for efficient and effective management of any
organisation. Basically, they are the policies and procedure adopted by a management to
achieve the entity's specific objectives like, physical verification of assets, periodic
review and reconciliation of accounts, specific control on computer generated data etc.
An internal control is a CIS system depends on the same principal as that of manual
system. Thus, the plan of organisation, delegation of powers, system authorisation,
distribution of duties etc., are determined on similar consideration as in a manual system.
However, in a CIS environment, due to difference in approach there is various other types
of controls which are quite specific to CIS environment. In setting up an internal control
system in a CIS environment, the overall CIS operation need to be broken down into
defined subsystem and controls established accordingly, addressing each function
separately so that auditors can place reliance on them. The basic components that can be
identified in a CIS environment are:
 Hardware (CPU, Monitor, Printers etc.)
 Software (Operating system, application programs, Data base management
system etc.)
 People (Data entry operator, CIS organisation, end users)
 Transmission media

Once components have been identified, auditors must evaluate their reliability with
respect to each type of error or irregularity that might occur. The reliability of a
component is a function of the controls that act on the component. A control is stated to
be a set of activities designed to prevent, detect or correct errors or irregularities that
affect the reliability of the components. The set of all control activities performed in a
system constitutes the control subsystem within a system. Its function is to establish
execute modify and maintain control activities so that the reliability of the system in
maintained at an acceptable level. In a computer system many different types of controls
are used to enhance component reliability. Major classes of control that the auditor must
evaluate are:

(1) Authenticity Controls - Authenticity control are exercised to verify the identify of
the individuals or process involved in a system (e.g. password control, personal
identification numbers, digital signatures)

(2) Accuracy Control - Accuracy control ensure the correctness of data and processes in
a system (e.g. program validation cheek that a numeric field contains only numeric,
overflow checks, control totals, hash total etc.)

(3) Completeness Control - Completeness control attempt to ensure that no data is

missing and that all processing is carried through to its proper conclusion. (e.g. program
validation check, sequence check etc.)

(4) Redundancy Control - Redundancy controls attempts to ensure that a data is

processed only once. (e.g. batch cancellation stamp, circulating error files etc.)
(5) Privacy Controls - Privacy controls ensure that data is protected from inadvertent or
unauthorised disclosure. (e.g. cryptograph, data compaction, inference control etc.)
(6) Audit Trail Controls - Audit trail control ensure traceability of all events occurred in
a system. This record is needed to answer queries, fulfil statutory requirements, minimise
irregularities, detect the consequences of error etc. The accounting audit trail shows the
source and nature of data and process that update the database. The operations audit trail
maintains a record of attempted or actual resource consumption within a system.

(7) Existence Controls - Existence controls attempt to ensure the ongoing avail ability of
all system resources (e.g., database dump and logs for recovery purposes duplicate
hardware, preventive maintenance, check point and restart control)
(8) Asset Safeguarding Controls - Asset safeguarding control attempt to ensure that all
resources within a system are protected from destruction or corruption (e.g. physical
barriers, libraries etc.)
(9) Effectiveness Controls - Effectiveness control attempt to ensure that systems achieve
their goals. (E.g. monitoring of user satisfaction, post audits, periodic cost benefit
analysis etc.)
(10) Efficiency Controls - Efficiency controls attempt to ensure that a system uses
minimum resources to achieve its goals.

Consideration of Control Attributes by the Auditors

In evaluating the effects of a control, the auditor needs to assess the reliability by
considering the various attributes of a control. Some of the attributes are:
(1) Whether the control is in place and is functioning as desired.
(2) Generality versus specificity of the control with respect to the various types of errors
and irregularities that might occur.
General control inhibit the effect of a wide variety of errors and irregularities as they are
more robust to change controls in the application sub-system which tend to be specific
control because component in these sub-system execute activities having less variety.
(3) Whether the control acts to prevent, detect or correct errors.
The auditor focuses here on
i) Preventive controls: Controls which stop errors or irregularities from occurring.
ii) Detective controls: Controls which identify errors and irregularities after they occur.
iii) Corrective controls: Controls which remove the effects of errors and irregularities
after they have been identified.
Auditors expect to see a higher density of preventive controls at the early stages of
processing or conversely they expect to see more detective and corrective controls later in
system processing.
(4) The number of components used to execute the control.
Multi-component controls are more complex and more error prone but they are usually
used to handle complex errors and irregularities.

Internal Control Requirement under CIS Environment

The requirement of internal control under CIS environment may cover the following
aspects:
(1) Organisation and Management Control - Controls are designed to establish an
organisational frame work for CIS activities including:
a) Policies and procedures relating to control functions.
b) Appropriate segregation of incompatible functions.

(2) Application System Development and Maintenance Control - Control are designed
to provide reasonable assurance that systems are developed and maintained in an
authorised and efficient manner, to establish control over:
a) Testing, conversion, implementation and documentation of new revised system.
b) Changes made to application system.
c) Access to system documentation.
d) Acquisition of application system from third parties.

(3) Computer Operation Controls - Designed to control the operation of the system and
to provide reasonable assurance that:
a) The systems are used for authorised purposes only.
b) Access to computer operation is restricted to authorised personnel.
c) Only authorised programs are to be used.
d) Processing errors are detected and corrected.

(4) System Software Control - Controls are designed to provide reasonable assurance
that system software is acquired or developed in an authorised and efficient manner
including:
a. Authorisation, approval, testing, implementation and documentation of new
system software and system software modification.
b. Restriction of access to system software and documentation to authorised
personnel.

(5) Data Entry and Program Control - Designed to provide assurance:

a) An authorisation structure is established over transaction being entered
into the system.
b) Access to data and program is restricted to authorised personnel.

(6) Control Over Input - Control are designed to provide reasonable assurance that:
a. Transactions are properly authorised before being processed by the computer.
b. Transactions are accurately converted into machine readable from and
recorded in the computer data files.
c. Transaction are not lost, added, duplicated or improperly changed.
d. Incorrect transactions are rejected, corrected and if necessary, resubmitted on
a timely basis.

(7) Control over Processing and Computer Data Files - Controls are designed to
provide reasonable assurance that:
a) Transactions including system generated transactions are properly
processed by the computer.
 b) Transaction are not lost, added duplicated or improperly changed.
c) Processing errors are identified and corrected on a timely basis.

(8) Control over Output - Designed to provide reasonable assurance that

a. Results of processing are accurate.
b. Access to output is restricted to authorised personnel.
c. Output is provided to appropriate authorised personnel on a timely basis.

(9) Other Safeguards - Other safeguards include:

a) Offsite back-up of data and program.
b) Recovery procedures for use in the event of theft, loss or intentional or
accidental destruction.
c) Provision of offsite processing in the event of disaster.