UM Digos College

Department of Accounting Education

Roxas Extension, Digos City

Course Outline: CompEd 421 – Auditing in a CIS Environment

Course Facilitator: Charles D. Flores, CPA, CMA

Email: charlesflores@umindanao.edu.ph
Student Consultation: Zoom Meeting or traditional contact
(calls, texts, emails)
Mobile: 0927-1716952
Phone: (082) 2277367
Effectivity Date: August 2020
Mode of Delivery: Online Blended Delivery
Time Frame: 54 Hours
Student Workload: Expected Self-Directed Learning
Requisites: None
Credit: 3
Attendance Requirements: For online sessions: minimum of 90%
attendance
For 1-day on-campus/onsite review: 100%
attendance;

Course Outline Policies

Areas of Concern Details

Contact and Non-contact Hours This 3-unit course self-instructional manual is designed
for blended learning mode of instructional delivery, i.e.
online sessions through the LMS and the 2-days on-
campus/onsite face-to-face review and final
examination. The expected number of hours will be 54
including review and examination days. The face to
face sessions shall include the summative assessment
tasks (exams) since this course is crucial in the
licensure examination for accountants.

Assessment Task Submission Submission of assessment tasks shall be on 3rd, 5th,

7th and 9th week of the term. The assessment paper
shall be attached with a cover page indicating the title

ACC 311 *Property of

UMDC
Page 1 of 15
 UM Digos College
Department of Accounting Education
Roxas Extension, Digos City

of the assessment task (if the task is performance),

the name of the Course Facilitator, date of submission
and name of the student. The document should be
emailed to the Course Facilitator. It is also expected
that you already paid your tuition and other fees
before the submission of the assessment task.

If the assessment task is done in real time through the

features in Quipper, the schedule shall be arranged
ahead of time by the Course Facilitator

Since this course is included in the licensure

examination, you will be required to take the Multiple-
Choice Question exam during the on- campus/onsite
sessions. This should be scheduled ahead of time by
the Course Facilitator. This is non- negotiable for all
licensure-based programs.

Turnitin Submission To ensure honesty and authenticity, all assessment

(if necessary) tasks are required to be submitted through Turnitin
with a maximum similarity index of 30% allowed. This
means that if your paper goes beyond 30%, the
students will either opt to redo her/his paper or explain
in writing addressed to the Course Facilitator the
reasons for the similarity. In addition, if the paper has
reached more than 30% similarity index, the student
may be called for a disciplinary action in accordance
with the University’s OPM on Intellectual and
Academic Honesty.

Please note that academic dishonesty such as

cheating and commissioning other students or people
to complete the task for you have severe punishments
(reprimand, warning, expulsion).

Penalties for Late Assignments/ The score for an assessment item submitted after the
Assessments designated time on the due date, without an approved
extension of time, will be reduced by 5% of the
possible maximum score for that assessment item for
each day or part day that the assessment item is late.

However, if the late submission of assessment paper

has a valid reason, a letter of explanation should be
submitted and approved by the Course Facilitator. If
necessary, you will also be required to present/attach
evidences.

ACC 311 *Property of

UMDC
Page 2 of 15
 UM Digos College
Department of Accounting Education
Roxas Extension, Digos City

Return of Assignments/ Assessment tasks will be returned to you two (2)

Assessments weeks after the submission. This will be returned by
email or via Blackboard portal.

For group assessment tasks, the Course Facilitator

will require some or few of the students for online or
virtual sessions to ask clarificatory questions to
validate the originality of the assessment task
submitted and to ensure that all the group members
are involved
Assignment You should request in writing addressed to the
Resubmission Course Facilitator his/her intention to resubmit an
assessment task. The resubmission is premised on
the student’s failure to comply with the similarity
index and other reasonable grounds such as
academic literacy standards or other reasonable
circumstances e.g. illness, accidents financial
constraints.
Re-marking of You should request in writing addressed to the
Assessment Papers program coordinator your intention to appeal or
and Appeal contest the score given to an assessment task. The
letter should explicitly explain the reasons/points to
contest the grade. The program coordinator shall
communicate with the students on the approval and
disapproval of the request.

If disapproved by the Course Facilitator, you can

elevate your case to the program head or the dean
with the original letter of request. The final decision
will come from the dean of the college.
Grading System All culled from Quipper sessions and traditional
contact
Course discussions/exercises – 30%
1st formative assessment – 10%
2nd formative assessment – 10%
3rd formative assessment – 10%
Final exam – 40%

Submission of the final grades shall follow the usual

University system and procedures.
Preferred Referencing Depends on the discipline; if uncertain or
Style (if the tasks inadequate, use the general practice of the APA
require) 6th Edition.

Student Students are required to create a umindanao email

Communication account which is a requirement to access the
Quipper portal. Then, the Course Facilitator shall
enroll the students to have access to the materials
and resources of the course. All communication
formats: chat, submission of assessment tasks,
ACC 311 *Property of
UMDC
Page 3 of 15
 UM Digos College
Department of Accounting Education
Roxas Extension, Digos City

requests etc. shall be through the portal and other

university recognized platforms.

You can also contact your teacher/Course Facilitator

via traditional contact or social media for
communication. For related concerns, the students
can contact the Dean, Program Head, Library, and
Guidance Help Desks.

For students who have not created their

umindanao account and LMS account, please
contact the Course Facilitator or Program Head for
further instructions
Contact Details of the Name, number and email address of GSTC Head and
Dean GSTC Facilitator in the college)

Contact Details of the Name, number and email address of GSTC Head and
Program Head GSTC Facilitator in the college)

Students with Special Students with special needs shall communicate with the
Needs Course Facilitator about the nature of his or her special
needs. Depending on the nature of the need, the Course
Facilitator, with the approval of the Program Head, may
provide alternative assessment tasks or extension of the
deadline of submission of assessment tasks. However,
the alternative assessment tasks should still be in the
service of achieving the desired course learning
outcomes.
Online Tutorial You are required to enroll in a specific tutorial time for
Registration (if this course via the www.cte.edu.ph portal. Please note
available and that there is a deadline for enrollment to the tutorial.
necessary)
Instructional Help Desk (Name, number and email addresses of Dean and
Contact Details College LMS Administrator)

Library Contact Details (Name, number and email address of LIC Head)

Well-being Welfare (Name, number and email address of GSTC Head and
Support Held Desk GSTC Facilitator in the college)
Contact Details

ACC 311 *Property of

UMDC
Page 4 of 15
 UM Digos College
Department of Accounting Education
Roxas Extension, Digos City

Course Information – see/download course syllabus in the Quipper LMS

CC’s Voice: Hello future accountants! Welcome to CompEd 421- Auditing

in a CIS Environment. By now, it is expected that you already
understand the basics for Accounting Information System.

CO . As future accountants, it is essential that you understand the

effectiveness and efficiency brought by an Accounting
Information System. Hence, the study of auditing in a CIS
environment will guide you to understand the significance of
reliability and credibility of the system.
.

Let us begin!

Big Picture

Week 1-3: Unit Learning Outcomes (ULO): At the end of the unit, you are
expected to
a. Understand the relationship between auditing and internal controls,
and the information technology (IT) governance controls;
b. Explain the process of auditing operating systems and networks;
c. Understand the process of auditing the database systems;

Big Picture in Focus:

ULOb. Explain the process of auditing operating systems
and networks;

Metalanguage

This section focuses on Sarbanes-Oxley compliance regarding the

security and control of operating systems, communication networks, Electronic
Data Interchange, and PC based accounting systems. We will examine the risks,
controls, audit objectives, and audit procedures that may be performed to either
satisfy compliance or attest responsibilities.

Please proceed to the “Essential Knowledge” part for the discussion.

Essential Knowledge
Auditing Operating System
ACC 311 *Property of
UMDC
Page 5 of 15
 UM Digos College
Department of Accounting Education
Roxas Extension, Digos City

Operating System is the computer’s control program. It allows users and their applications to
share & access common computer resources, such as processors, main memory, databases,
& printers.
Operating System Control Objectives
• Protect itself from users. User application must not able to gain control of, or damage
in anyway.
• Protect users from each other. One user must not able to access, destroy, or corrupt
the data of another user’.
• Protect users from themselves. A user’s application may consist of several modules
stored in separate memory locations, each with its own data.
• Protected from itself. No modules should be allowed to destroy or corrupt other
modules.
• Protect from its environment including power failures and other disasters.

Operating Systems Security:

• Log-On Procedure the first line of defense against unauthorized access consisting
of user IDs and passwords.
• Access Token contains key information about the user which is used to approve
actions attempted during the session.
• Access Control List assigned to each IT resource and used to control access to the
resources.
• Discretionary Access Privileges allows user to grant access to another user.

Threats to Operating System Integrity

Accidental threats include hardware failures and errors in user applications.
Intentional threats are often attempts to illegally access data or violate privacy for financial
gain.
Growing threat is destructive programs with no apparent gain, which come from three sources:
• Privileged personnel who abuse their authority.
• Individuals who browse the operating system to identify and exploit security flaws.
• Individuals who insert viruses or other destructive programs into the operating system,
either intentionally or unintentionally.

Operating Systems Controls

Access Privileges - Audit Objectives:
• Verify that access privileges are consistent with separation of incompatible functions
and organization policies.
• Access Privileges - Audit Procedures:
• Review policies for separating incompatible functions.
• Review a sample of user privileges, especially access to data and programs.
• Review security clearance checks of privileged employees in compliance of
company policy.
• Review employee records to determine if users have formally acknowledged
their responsibility to maintain data confidentiality.
• Review users’ permitted log-on times.

Password Controls

ACC 311 *Property of

UMDC
Page 6 of 15
 UM Digos College
Department of Accounting Education
Roxas Extension, Digos City

Password is a secret code user enters to gain access to system, data files or server.
Common contra-security behaviors:
• Forgetting passwords and being locked out of the system.
• Failing to change password on frequent basis
• Post-it-syndrome which puts passwords on display.
• Simplistic passwords that a computer criminals easily anticipates.
Most common method passwords are reusable.
• To improve access control, management should require changes and disallow
weak ones.
One-time passwords designed to overcome aforementioned problems. The user’s password
changes continuously.

Controlling Against Malicious & Destructive Programs

Organizations can reduce threats:

• Purchase software from reputable vendors in original packages.
• Issue an entity-wide policy pertaining to unauthorized or illegal software.
• Examine upgrades and public-domain software for viruses before implementation
• Inspect all public-domain software for virus infection before using.
• Establish entity-wide procedures for making changes to production programs.
• Establish an educational program to raise user awareness regarding threats from
viruses and malicious program.
• Install all new applications on a stand-alone computer.
• Implement procedures for changing programs.
• Routinely make back copies.
• Limit users to read and execute rights only.
• Require protocols to bypass Trojan horses
• Use antiviral software (also called vaccines) to examine application and operating
system programs.

Viruses & Destructive Programs - Audit objectives:

• Verify effectiveness of procedures to protect against programs such as
viruses, worms, back doors, logic bombs, and Trojan horses.

Viruses & Destructive Programs - Audit procedures:

• Interviews to determine that operations personnel have been properly
educated and are aware of risks.
• Verify new software is tested on standalone workstations prior to being
implemented.
• Verify that antiviral software is current and that upgrades are frequency
downloaded.

System Audit Trail Controls

System audit trails are logs that record activity at the system, application and use level.
Two types of audit logs:
• Keystroke monitoring involves recording user’s keystrokes and the
system’s response.
• Event monitoring summarizes key activities related to system resources.
ACC 311 *Property of
UMDC
Page 7 of 15
 UM Digos College
Department of Accounting Education
Roxas Extension, Digos City

Audit trails can be used to:

• Detect unauthorized access can occur in real time or after the fact.
• Reconstructing events can be used to reconstruct the steps that led to events such
as system failure or security violations.
• Personal accountability can be used to monitor user activity at lowest level of detail.

Benefits of audit logs must be balanced against costs.

System Audit Trails- Audit objectives:

• Ensure established system audit trail is adequate for preventing and detecting
abuses, reconstructing key events and planning resource allocation.

System Audit Trails- Audit procedures:

• Verify audit trail has been activated per company policy.
• Use data extraction tools to search for defined conditions such as: unauthorized users;
periods of inactivity; periods of activity including log-on and log-off times; failed log-on
attempts; and specific access.
• Sample security violation cases and evaluate their disposition to assess security group
effectiveness.

Intranet Risks

Intranets consist of small LANs and large WANs that may contain thousands of individual nodes.
It is used to connect employees within single building, between buildings on same physical
campus, and between geographically locations.

Intercepting network messages:

• Sniffing the unauthorized interception of this information of a node on the network

Accessing corporate databases:

• Connections to central databases increase risk data will be accessible to employees.

Privileged employees:
• Overrides may allow unauthorized access critical data.
• Organizations reluctance to prosecute.
• Negligent hiring liability requires employers to check employee backgrounds. Courts
holding employers responsible for employee criminal acts that could have been
prevented with background check.

Internet Risks

IP spoofing is masquerading to gain access to a Web server and/or to perpetrate an unlawful act
without revealing one’s identity.

Denial of service (DOS) attack is an assault on a Web server to prevent it from servicing users.
Particularly devastating to business entities that cannot receive and process business
transactions.

Three Common Types of DOS Attacks:

ACC 311 *Property of
UMDC
Page 8 of 15
 UM Digos College
Department of Accounting Education
Roxas Extension, Digos City

1. SYN Flood When the three-way handshake needed to establish an Internet connection occurs,
the final acknowledgement is not sent by the DOS attacker, thereby tying-up the receiving
server while it waits.

2. Smurf Attack Involves three parties: the perpetrator, the intermediary, and the victim. DOS
attacker uses numerous intermediary computers to flood the target computer with test
messages, “pings” causing network congestion.

3. Distributed Denial of Service (DDos) attack. May take the form of Smurf or SYN attacks,
but distinguished by the vast number of zombie computers hijacked to launch the attacks. The
perpetrator of a DDos attack may employ a virtual army so called zombie or bot (robot)
computers. Internet relay chat (IRC) popular interactive service on the Internet that engage
in real-time communications via their computers. These collections of compromised
computers are known as botnets.

ACC 311 *Property of

UMDC
Page 9 of 15
 UM Digos College
Department of Accounting Education
Roxas Extension, Digos City

Controlling Risks from Subversive Threats

Firewall is a system that enforces access control between two networks. To accomplish this:
• All traffic between the outside network and organization’s intranet must pass through
the firewall.
• Only authorized traffic is allowed to pass through the firewall
• The firewall must be immune to penetration from both outside and inside organization.

Network-level firewalls provide efficient, low security control. It consists of:

• Screening router examines source and destination addresses attached to incoming
message packets but does not explicitly authenticate outside users.

Application-level firewalls provide higher, customizable network security, but add overhead
cost. A high level of firewall security is possible using a dual-homed system.

ACC 311 *Property of

UMDC
Page 10 of 15
 UM Digos College
Department of Accounting Education
Roxas Extension, Digos City

Controlling Denial of Service Attacks

Smurf attacks: Organizations can program firewalls to ignore identified attacking site.

SYN flood attacks have two tactics:

• Get Internet hosts to use firewalls that block invalid IP addresses.
• Use security software to scan for half-open connections.

To counteract DDos attacks organizations use intrusion prevention systems (IPS) that employ
deep packet inspection (DPI).
• Works as a filter that removes malicious packets from the flow before they can affect
servers and networks.

Encryption is conversion of data into a secret code for storage and transmission. The sender
uses an encryption algorithm to convert the original message called cleartext message into a
coded equivalent ciphertext which is decoded at receiving end.
Caesar cipher earliest encryption method.

Two fundamental components:

• Key is a mathematical value sender selects.
• Algorithm is procedure of shifting letters in clear text message number of positions
key value indicates.
Private Key and public key encryption are two commonly used methods.

Private Key Encryption

Advance encryption standard (AES) is a 128-bit encryption technique that has become a U.S.
government standard for private key encryption. The AES algorithm uses a single key known
to both sender and the receiver of the message.

Triple-DES encryption is an enhancement to an older encryption technique called the data

encryption standard (DES).

ACC 311 *Property of

UMDC
Page 11 of 15
 UM Digos College
Department of Accounting Education
Roxas Extension, Digos City

Two forms of triple-DES encryption:

• EEE3 uses three key is used to decode it.
• EDE3 uses one key to encrypt the message.

Public Key Encryption uses two different keys:

• One for decoding messages
• For decoding them

RSA (Rivest-Shamir-Adleman) is a highly secure public key cryptography method.

Digital signature is electronic authentication that cannot be forged. The sender uses a one-way
hashing algorithm to calculate a digest of the text message. The digest is a mathematical
value calculated from text content of the message.

Verifying the sender’s identity requires a digital certificate which is issued by a trusted third party
called a certification authority (CA). A digital certificate is used in conjunction with a public
key encryption system to authenticate the sender of a message.

Public key encryption is central to digital authentication making public key management an
important internal control issue. Public key infrastructure (PKI) constitutes policies and
procedures for administering this activity. Consist of:
• Message sequence numbering inserts a sequence number in each message to
prevent attempts to delete, change or duplicate a message.
• Message transaction log records all attempted accesses with user ID, time of access
and location.
• Request-response technique sends control messages and responses randomly
making it difficult for an intruder to circumvent.
• Call-back device requires a dial-in user to enter and password and be identified.

ACC 311 *Property of

UMDC
Page 12 of 15
 UM Digos College
Department of Accounting Education
Roxas Extension, Digos City

Controlling Risks from Equipment Failure

Line errors are losses from communications noise.

Techniques to detect and correct data errors:

• Echo check - receiver returns the message to the sender.
• Parity check - extra bit is added onto each byte of data similar to check digits.

Audit objective is to verify integrity of transactions by determining controls are in place to

detect and correct message loss.
Audit procedures include examining a sample of messages for garbled content and verifying
all corrupted messages were retransmitted.

Auditing Electronic Data Interchange (EDI)

EDI is the intercompany exchange of computer- processible business information in standard

format.
Key to EDI success is use of standard format for messaging between dissimilar systems.

Communications Links
• Companies may have internal EDI translation/communication software and
hardware.
• They may subscribe to VANs to perform this function without having to invest in
personnel, software, and hardware.

Overview of EDI

ACC 311 *Property of

UMDC
Page 13 of 15
 UM Digos College
Department of Accounting Education
Roxas Extension, Digos City

Benefit of EDI:
• Reduction or elimination of data entry
• Reduction of errors
• Reduction of paper
• Reduction of paper processing and postage
• Reduction of inventories (via JIT systems)

EDI Controls:

Transaction Authorization and Validation

Both the customer and the supplier must establish that the transaction being processed is to (or
form) a valid trading partner and is authorized.

Access Control
To guard against unauthorized access, each company must establish valid vendor and customer
files. Inquiries against databases can thus be validated, and unauthorized attempts at access
can be rejected.

Auditing PC-Based Accounting Systems

PC Systems Risks and Control

Operating System Weakness

PCs provide only minimal security for data files and programs contained with them. The data
stored on microcomputers that are shared by multiple are exposed to unauthorized access,
manipulation, and destruction. Once a computer criminal gains access to the user’s PC, there
may be little or nothing in the way of control to prevent him from stealing or manipulating the
data stored on the internal hard drive.

Weak Access Control

Security software that provides logon procedures is available for PC’s. Most of these
programs, however, become active only when the computer is booted from the hard drive.
ACC 311 *Property of
UMDC
Page 14 of 15
 UM Digos College
Department of Accounting Education
Roxas Extension, Digos City

Inadequate Segregation of Duties

The exposure is compounded when the operator is also responsible for the development
(programming) of the applications that he runs. In a small-company operations, there may be
difficult to eliminate these inherent conflict of duties.

Multilevel Password Control

Multilevel password control is used to restrict employees who are sharing the same
computers to specific directories, programs, and data files. Under this approach, different
passwords are used to access different functions.

Self-Help: You can also refer to the source below to help you further
understand the lesson:

Chapter 3 of Hall, J. P. Information Technology Auditing, 2015, Cengage

Learning Inc.

ACC 311 *Property of

UMDC
Page 15 of 15