UM Digos College

Department of Accounting Education

Roxas Extension, Digos City

Course Outline: CompEd 421 – Auditing in a CIS Environment

Course Facilitator: Charles D. Flores, CPA, CMA

Email: charlesflores@umindanao.edu.ph
Student Consultation: Zoom Meeting or traditional contact
(calls, texts, emails)
Mobile: 0927-1716952
Phone: (082) 2277367
Effectivity Date: August 2020
Mode of Delivery: Online Blended Delivery
Time Frame: 54 Hours
Student Workload: Expected Self-Directed Learning
Requisites: None
Credit: 3
Attendance Requirements: For online sessions: minimum of 90% attendance
For 1-day on-campus/onsite review: 100%
attendance;

Course Outline Policies

Areas of Concern Details

Contact and Non-contact Hours This 3-unit course self-instructional manual is designed
for blended learning mode of instructional delivery, i.e.
online sessions through the LMS and the 2-days on-
campus/onsite face-to-face review and final
examination. The expected number of hours will be 54
including review and examination days. The face to
face sessions shall include the summative assessment
tasks (exams) since this course is crucial in the
licensure examination for accountants.

Assessment Task Submission Submission of assessment tasks shall be on 3rd, 5th,

7th and 9th week of the term. The assessment paper
shall be attached with a cover page indicating the title

ACC 311 *Property of UMDC

Page 1 of 12
 UM Digos College
Department of Accounting Education
Roxas Extension, Digos City

of the assessment task (if the task is performance),

the name of the Course Facilitator, date of submission
and name of the student. The document should be
emailed to the Course Facilitator. It is also expected
that you already paid your tuition and other fees
before the submission of the assessment task.

If the assessment task is done in real time through the

features in Quipper, the schedule shall be arranged
ahead of time by the Course Facilitator

Since this course is included in the licensure

examination, you will be required to take the Multiple-
Choice Question exam during the on- campus/onsite
sessions. This should be scheduled ahead of time by
the Course Facilitator. This is non- negotiable for all
licensure-based programs.

Turnitin Submission To ensure honesty and authenticity, all assessment

(if necessary) tasks are required to be submitted through Turnitin
with a maximum similarity index of 30% allowed. This
means that if your paper goes beyond 30%, the
students will either opt to redo her/his paper or explain
in writing addressed to the Course Facilitator the
reasons for the similarity. In addition, if the paper has
reached more than 30% similarity index, the student
may be called for a disciplinary action in accordance
with the University’s OPM on Intellectual and
Academic Honesty.

Please note that academic dishonesty such as

cheating and commissioning other students or people
to complete the task for you have severe punishments
(reprimand, warning, expulsion).

Penalties for Late Assignments/ The score for an assessment item submitted after the
Assessments designated time on the due date, without an approved
extension of time, will be reduced by 5% of the
possible maximum score for that assessment item for
each day or part day that the assessment item is late.

However, if the late submission of assessment paper

has a valid reason, a letter of explanation should be
submitted and approved by the Course Facilitator. If
necessary, you will also be required to present/attach
evidences.

ACC 311 *Property of UMDC

Page 2 of 12
 UM Digos College
Department of Accounting Education
Roxas Extension, Digos City

Return of Assignments/ Assessment tasks will be returned to you two (2)

Assessments weeks after the submission. This will be returned by
email or via Blackboard portal.

For group assessment tasks, the Course Facilitator

will require some or few of the students for online or
virtual sessions to ask clarificatory questions to
validate the originality of the assessment task
submitted and to ensure that all the group members
are involved
Assignment You should request in writing addressed to the
Resubmission Course Facilitator his/her intention to resubmit an
assessment task. The resubmission is premised on
the student’s failure to comply with the similarity
index and other reasonable grounds such as
academic literacy standards or other reasonable
circumstances e.g. illness, accidents financial
constraints.
Re-marking of You should request in writing addressed to the
Assessment Papers program coordinator your intention to appeal or
and Appeal contest the score given to an assessment task. The
letter should explicitly explain the reasons/points to
contest the grade. The program coordinator shall
communicate with the students on the approval and
disapproval of the request.

If disapproved by the Course Facilitator, you can

elevate your case to the program head or the dean
with the original letter of request. The final decision
will come from the dean of the college.
Grading System All culled from Quipper sessions and traditional
contact
Course discussions/exercises – 30%
1st formative assessment – 10%
2nd formative assessment – 10%
3rd formative assessment – 10%
Final exam – 40%

Submission of the final grades shall follow the usual

University system and procedures.
Preferred Referencing Depends on the discipline; if uncertain or
Style (if the tasks inadequate, use the general practice of the APA
require) 6th Edition.

ACC 311 *Property of UMDC

Page 3 of 12
 UM Digos College
Department of Accounting Education
Roxas Extension, Digos City

Student Students are required to create a umindanao email

Communication account which is a requirement to access the
Quipper portal. Then, the Course Facilitator shall
enroll the students to have access to the materials
and resources of the course. All communication
formats: chat, submission of assessment tasks,
requests etc. shall be through the portal and other
university recognized platforms.

You can also contact your teacher/Course Facilitator

via traditional contact or social media for
communication. For related concerns, the students
can contact the Dean, Program Head, Library, and
Guidance Help Desks.

For students who have not created their

umindanao account and LMS account, please
contact the Course Facilitator or Program Head for
further instructions
Contact Details of the Name, number and email address of GSTC Head and
Dean GSTC Facilitator in the college)

Contact Details of the Name, number and email address of GSTC Head and
Program Head GSTC Facilitator in the college)

Students with Special Students with special needs shall communicate with the
Needs Course Facilitator about the nature of his or her special
needs. Depending on the nature of the need, the Course
Facilitator, with the approval of the Program Head, may
provide alternative assessment tasks or extension of the
deadline of submission of assessment tasks. However,
the alternative assessment tasks should still be in the
service of achieving the desired course learning
outcomes.
Online Tutorial You are required to enroll in a specific tutorial time for
Registration (if this course via the www.cte.edu.ph portal. Please note
available and that there is a deadline for enrollment to the tutorial.
necessary)
Instructional Help Desk (Name, number and email addresses of Dean and
Contact Details College LMS Administrator)

ACC 311 *Property of UMDC

Page 4 of 12
 UM Digos College
Department of Accounting Education
Roxas Extension, Digos City

Library Contact Details (Name, number and email address of LIC Head)

Well-being Welfare (Name, number and email address of GSTC Head and
Support Held Desk GSTC Facilitator in the college)
Contact Details

Course Information – see/download course syllabus in the Quipper LMS

CC’s Voice: Hello future accountants! Welcome to CompEd 421- Auditing in

a CIS Environment. By now, it is expected that you already
understand the basics for Accounting Information System.

CO . As future accountants, it is essential that you understand the

effectiveness and efficiency brought by an Accounting
Information System. Hence, the study of auditing in a CIS
environment will guide you to understand the significance of
reliability and credibility of the system.
.

Let us begin!

Big Picture

Week 1-3: Unit Learning Outcomes (ULO): At the end of the unit, you are expected to
a. Understand the relationship between auditing and internal controls, and
the information technology (IT) governance controls;
b. Explain the process of auditing operating systems and networks;
c. Understand the process of auditing the database systems;

Big Picture in Focus:

ULOa. a. Understand the concepts, characteristics and
functions of negotiable instruments and the
construction thereof;

ACC 311 *Property of UMDC

Page 5 of 12
 UM Digos College
Department of Accounting Education
Roxas Extension, Digos City

Metalanguage

In this section, we will discuss the relationship between auditing and internal
controls. The concept of IT governance controls are also introduced in this section.

Please proceed to the “Essential Knowledge” part for the discussion.

Essential Knowledge

I. Auditing and Internal Control IT

Auditing
• Information technology (IT) developments have had tremendous impact on
auditing.
• Business organizations undergo different types of audits for different
purposes. Most common are (1) external (financial) audits, (2) internal
audits and (3) fraud audits.

External (Financial) Audits

• Independent attestation performed by an expert (i.e., CPA) who expresses
an opinion regarding the fair presentation of financial statements.
• Required by SEC for all public companies.
• Key concept is independence:
o Auditor collects evidence and renders opinion. •
o Basis of public confidence in financial statements. •
• Strict rules must be followed.
o Defined by SEC, IFRS, AICPA and SOX.

Attest Service vs. Advisory Services

• Requirements of attestation services:
o Written assertions and practitioner’s written report.
o Formal establishment of measurement criteria.
o Limited to examination, review, and application of agreed- upon
procedures.
• Advisory services are offered to improve client’s operational effectiveness
and efficiency.

Internal Audits
• Internal auditing is an independent appraisal function to examine and
evaluate activities within, and as a service to, an organization.
• Internal auditors perform a wide variety of activities including financial,
operational, compliance and fraud audits.
ACC 311 *Property of UMDC
Page 6 of 12
 UM Digos College
Department of Accounting Education
Roxas Extension, Digos City

• Auditors may work for the organization or task may be outsourced.

External vs. Internal Auditors

• External auditors represent outsiders while internal auditors represent
organization’s interests.
• Internal auditors often cooperate with and assist external auditors in some
aspects of financial audits.
• External auditors can rely in part on evidence gathered by internal audit
departments that are organizationally independent and report to the board
of directors’ audit committee.

Fraud Audits
• Recent increase in popularity as a corporate governance tool.
• Objective to investigate anomalies and gather evidence of fraud that may
lead to criminal convictions.
• May be initiated by management who suspect employee fraud or the board
of directors who suspect executive fraud.

Role of Audit Committee

• Subcommittee of the board of directors
• Serves as independent “check and balance” for the internal audit function
• SOX mandates that external auditors report to the audit committee: •
Committee hires and fires auditors and resolve disputes.
•
Management assertions and audit objectives:
• Existence or Occurrence; Completeness; Rights and Obligations; Valuation
or Allocation; Presentation and Disclosure.
• Auditors develop audit objectives and design audit procedures based on
these assertions.
• Auditors seek evidential matter that corroborates assertions.
• Auditor must determine whether internal control weaknesses and
misstatements are material.
• Auditors must communicate the results of their tests, including an audit
opinion.

Audit Risk
• Probability that auditor will render unqualified (clean) opinion on financial
statements that are, in fact, materially misstated.
• Inherent risk (IR) is associated with unique characteristics of client’s
business or industry.
• Control risk (CR) is the likelihood the control structure is flawed because
controls are either absent or inadequate to prevent or detect errors.
ACC 311 *Property of UMDC
Page 7 of 12
 UM Digos College
Department of Accounting Education
Roxas Extension, Digos City

• Detection risk (DR) is the risk auditors are willing to take that errors not
detected or prevented by the control structure will not be detected by the
auditor.
• Audit risk components in a model used to determine the scope, nature and
timing of substantive tests:
• Audit risk model: AR = IR x CR x DR
o If acceptable audit risk is 5%, the planned detection risk will depend
upon the control structure.
• The stronger the internal control structure, the lower the control risk and the
less substantive testing the auditor must do.
• Substantive tests are labor intensive and time consuming, which drives up
audit costs and cause disruption.
• Management’s best interests are served by a strong internal control
structure.

The IT Audit
• First step is audit planning which includes the analysis of audit risk.
o Techniques for gathering evidence include questionnaires,
management interviews, reviewing system documentation and
observing activities.
• Objective of tests of controls is to determine if adequate controls are in place
and functioning.
• Third phase focuses on financial data and a detailed investigation of specific
account balances and transactions through substantive tests.
o Files may be extracted using Computer-Assisted-Audit Tools and
Techniques (CAATTs) software. 16

Internal Control
• Management required by law to establish and maintain adequate system of
internal controls.
• Section 404 requires management of public companies to access the
effectiveness of their internal controls in an annual report.

Internal Control System

• Internal control system comprises policies, practices, and procedures to
achieve four broad objectives:
o Safeguard assets of the firm.
o Ensure accuracy and reliability of accounting records and
information.
o Promote efficiency in the firm’s operations.
o Measure compliance with management’s prescribed policies and
procedures.
ACC 311 *Property of UMDC
Page 8 of 12
 UM Digos College
Department of Accounting Education
Roxas Extension, Digos City

The PDC Model

• Preventive controls are passive techniques designed to reduce frequency
of undesirable events occurring.
o More cost effective than detecting and correcting problems after they
occur.
• Detective controls are devices, techniques and procedures to identify and
expose undesirable events that eluded the preventive controls.
• Corrective controls fix the identified problem.

COSO Internal Control Framework

• The control environment is the foundation for the other four control
components and includes:
o Management integrity and ethical values, organizational structure,
board of director participation and management’s philosophy and
operating style.
• A risk assessment must be performed to identify, analyze and manage
financial reporting risks.
• An effective accounting information system will:
o Identify and record all valid financial transactions, provide timely
information and adequately measure and record transactions. 23
• Monitoring is the process by which the quality of internal control design and
operation can be assessed.
• Control activities are policies and procedures to ensure actions to deal with
identified risk.
o Physical controls relate primarily to human activities employed in
accounting systems.
o Information technology controls
Physical Controls
• Transaction authorization is to ensure all processed transactions are valid.
• Segregation of duties is designed to:
o Separate transaction authorization from processing.
o Separate asset custody from recordkeeping.
o Ensure a successful fraud requires collusion between individuals
with incompatible responsibilities.
o Supervision is a compensating control for small organizations that
cannot achieve adequate segregation of duties.
• Accounting records are source documents, journals and ledgers that
provide an audit trail.
o Information needed for day to day operations and essential in the
financial audit process.
• Access controls ensure only authorized personnel have assess to firm’s
assets.
ACC 311 *Property of UMDC
Page 9 of 12
 UM Digos College
Department of Accounting Education
Roxas Extension, Digos City

• Verification procedures are independent checks to identify errors and

misrepresentations in the accounting system.

IT Controls
• Application controls ensure validity, completeness, and accuracy of
financial transactions.
o Includes check digits, batch balancing and payroll limits.
• General controls apply to all systems and include:
o IT governance, IT infrastructure, security and access to operating
systems and databases, application acquisition and development
and program change procedures.
o General controls needed to support functioning of application
controls. Both needed to ensure accurate financial reporting. 28

II. Auditing IT Governance Controls IT

IT Governance
• Subset of corporate governance that focuses on the management and
assessment of strategic IT resources.
• Key objects are to reduce risk and ensure investments in IT resources add
value to the corporation.
• All corporate stakeholders must be active participants in key IT decisions.
• Three IT governance issues addressed by SOX and the COSO internal
control framework:
o Organizational structure of the IT function.
o Computer center operations.
o Disaster recovery planning.

Structure of the Corporate IT Function

• Under the centralized data processing model, all data processing performed
at a central site.
• End users compete for resources based on need.
o Operating costs charged back to end user.
• Primary service areas:
o Database administrator.
o Data processing consisting of data control/data entry, computer
operations and data library.
o System development and maintenance
o Participation in systems development activities include system
professional, end users and stakeholders.

Alternative Organization of Systems Development

ACC 311 *Property of UMDC
Page 10 of 12
 UM Digos College
Department of Accounting Education
Roxas Extension, Digos City

•Two control problems with segregating systems analysis from applications

programming.
• Inadequate documentation a chronic problem.
Segregation of Incompatible IT Functions
• Systems development from computer operations.
• Database administration from other functions.
• New systems development from maintenance.

The Distributed Model

• Distributed Data Processing (DDP) involves reorganizing central IT function
into small IT units that are placed under the control of end users.
• Two alternatives:
o Alternative A: Variant of centralized model with terminals or
microcomputers distributed to end users for handling input and
output.
o Alternative B: Distributes all computer services to the end users
where they operate as stand alone units. 10

Risks Associated with DDP

• Inefficient use of resources
• Destruction of audit trails.
• Inadequate segregation of duties.
• Hiring qualified professionals:
o Risk of programming errors and system failures increase directly with
the level of employee incompetence.
• Lack of standards.
• Implement a corporate IT function

Audit Procedures for the DDP

• Audit procedures in a centralized IT organization
• Audit procedures in a distributed IT organization

The Computer Center

• Physical location
• Construction
• Access

Disaster Recovery Planning

• A disaster recovery plan is a statement of all actions to be taken before,
during and after any type of disaster.
• Four common features:
o Identify critical applications
ACC 311 *Property of UMDC
Page 11 of 12
 UM Digos College
Department of Accounting Education
Roxas Extension, Digos City

o Create a disaster recovery team

o Provide second-site backup

DRP Audit Procedures

• To verify DRP is a realistic solution, the following tests may be performed
o Evaluate adequacy of backup site arrangements.
o Review list of critical applications for completeness.
o Verify copies of critical applications and operating systems are
stored off-site.
o Verify critical data files are backed up in accordance with the DRP.
o Verify that types and quantities of items specified in the DRP exist in
a secure location.
o Verify disaster recovery team members are current employees and
aware of their assigned responsibilities.

Self-Help: You can also refer to the source below to help you further
understand the lesson:

Chapter 1 and 2 of Hall, J. P. Information Technology Auditing, 2015, Cengage

Learning Inc.

-End-

ACC 311 *Property of UMDC

Page 12 of 12