JONYL S.

ABANG BSA 3 Auditing in CIS Environment Final Examination

Part 1
1. Differentiate between batch processing systems and real-time
processing systems.

In a batch processing system, documents evidencing

transactions and events are
gathered and processed by groups. The day’s sales invoices,
for example, may
be converted to machine-readable form and processed the next
morning. In a
real time system, transactions are input into the system and
processed as they
occur. A branch sale, for example, may be input into the
system via a terminal
at a remote location. The computer checks for product
availability, customer
authenticity, customer credit approval, and shipping terms;
and if all conditions
are met, the sale is processed immediately and the sales
invoice and shipping
order is produced.

2. Why are real-time processing systems ordinarily more

difficult to audit than batch processing system?

In a real-time system, much of the data are stored

internally and documentation
is often not as extensive as in a batch system. Retrieval
and audit of transaction
 data, therefore, are often more difficult in a real-time
system. Also, controls are
more likely to be programmed in real-time systems, and for
this reason, are
more difficult to test.

3. Why are systems and program important to effective internal

control?

Inasmuch as computer processing requires increased

dependence on the
computer systems and software for the accuracy and
completeness of
processing, documentation assumes major significance
relative to effective
control. Documentation facilitates reviewing and updating
systems and
programs as the environment changes; and it also minimizes
the probability of
unauthorized system and program changes which could result
in loss of control
and decreased reliability of financial data.

4. How does access control differ between batch systems and on-
line systems?

In a batch system, files are stored off-line for the most

part, and access control
assumes the form of safeguarding the programs, transaction
files, and master
files by assigning responsibility for the files to a
librarian and instituting a
 formal checkout system. Only those persons authorized to
process transactions
(Computer operators) are permitted access to transaction and
master files; and
programmers are permitted access to programs only for
testing and “debugging”
purposes. In an on-line, real-time system, transactions and
master files are
stored internally, often in a system of integrated data
bases. Access control in
this type of data environment assumes the form of
controlling access to data
bases and fixing of responsibility for the data base
components. Assigning a
password to an individual who is responsible for the data
base component
accessible by that password, canceling passwords of former
employees, and
frequent changing of existing employees’ passwords are
examples of access
controls in a real-time system.

5. What function does a recording form or transaction log

serve? What information should be included?

Recording forms and transaction logs assure consistency and

completeness of
data inputs. The form or log should include codes describing
such transaction
components as employee number, customer number, vendor
number,
 department number, stock number, purchased part number, or
job number. The
form should also provide for quantities, prices, dates, and
usually a short narrative description of products, parts,
materials, or services for purchase and sales transactions.

6. What is a transaction file a master file?

A transaction file is the batch of entered data that has

been converted into machine-readable form. A transaction
file may contain payroll information for a specific period
of time. It is similar to a journal in a manually prepared
system. A master file contains updated information through a
particular time period. It is similar to a ledger in a
manual system.

7. Why do small businesses use computer? What types of systems

would you expect to find in a small business?

Small businesses have found that microcomputers or personal

computer systems are cost effective for processing
accounting data. In small businesses, one would expect to
find microcomputers (or personal computers) using
commercially available software.

8. What major differences would you expect to find in a

client’s organization structure and transaction processing
when the client’s converts from a manual to a computerized
system?

In the computerized system, documents to support a

transaction may not be maintained in readable form,
 requiring associated performance of controls. However, the
computerized system will enable processing of transactions
to be done more consistently, duties to be consolidated, and
reports to be generated more easily.

9. Explain how internal controls can be enhanced through the

proper installation of IT.

The proper installation of IT can lead to internal control

enhancements by replacing manually performed controls with
computer-performed controls. IT based accounting systems
have the ability to handle tremendous volumes of complex
business transactions cost effectively. Computer-performed
controls can reduce the potential for human error by
replacing manual controls with programmed controls that
apply checks and balances to each transaction processed. The
systematic nature of IT offers greater potential to reduce
the risk of material misstatements resulting from random,
human errors in processing. The use of IT based accounting
systems also offers the potential for improved
management decisions by providing more and higher quality
information on a timelier basis than traditional manual
systems. IT-based systems are usually administered
effectively because the complexity requires effective
organization, procedures, and documentation. That in turn
enhances internal control.

10. Identify the risks for accounting systems that rely

heavily on IT functions.

When entities rely heavily on IT systems to process

financial information, there are new risks specific to IT
environments that must be considered. Key risks include the
following:
 Reliance on the functioning capabilities of hardware
and software. The risk of system crashes due to
hardware or software failures must be evaluated when
entities rely on IT to produce financial statement
information.
 Visibility of audit trail. The use of IT often converts
the traditional paper trail to an electronic audit
trail, eliminating source documents and paper-based
journal and records.
 Reduced human involvement. The replacement of
traditional manual processes with computer-performed
processes reduces opportunities for employees to
recognize misstatements resulting from transactions
that might have appeared unusual to experienced
employees.
 Systematic versus random errors. Due to the uniformity
of processing performed by IT based systems, errors in
computer software can result in incorrect processing
for all transactions processed. This increases the risk
of many significant misstatements.
 Unauthorized access. The centralized storage of key
records and files in electronic form increases the
potential for unauthorized on-line access from remote
locations.
 Loss of data. The centralized storage of data in
electronic form increases the risk of data loss in the
event the data file is altered or destroyed.
 Reduced segregation of duties. The installation of IT-
based accounting systems centralize many of the
 traditionally segregated manual tasks into one IT
function.
 Lack of traditional authorization. IT-based systems can
be programmed to initiate certain types of transactions
automatically without obtaining traditional manual
approvals.
 Need for IT experience. As companies rely to a greater
extent on IT-based systems, the need for personnel
trained in IT systems increases in order to install,
maintain, and use systems.

11. Distinguish between general controls and application

controls and give two examples for each.

General controls relate to all aspects of the IT function.

They have a global impact on all software applications.
Examples of general controls include controls related to the
administration of the IT function; software acquisition and
maintenance; physical and on-line security over access to
hardware, software, and related backup; back-up planning in
the event of unexpected emergencies; and hardware controls.
Application controls apply to the processing of individual
transactions. An example of an application control is a
programmed control that verifies that all timecards
submitted are for valid employee ID numbers included in the
employee master file.

12. Which duties should be segregated within the computer

department?
The most significant separation of duties unique to computer
systems are those performed by the systems analyst, programmer,
computer operator, and data base administrator. The idea is that
anyone who designs a processing system should not also do the
technical work, and anyone who performs either of these tasks
should not also be the computer operator when real data is
processed.

13. Describe the typical duties of computer personnel.

Typical duties of personnel:

a. Systems analysis: Personnel will design and direct the

development of new applications.
b. Programming: Other personnel will actually do the
programming dictated by the system design.
c. Operating: Other people will operate the computer during
processing runs, so that programmers and analysts cannot
interfere with the programs designed and executed, even if
they produce errors.
d. Converting data: Since this is the place where
misstatements and errors can be made – the interface between
the hardcopy data and the machine-readable transformation,
people unconnected with the computer system
itself do the data conversion. Internal Control in the
Computer Information System 27-3
e. Library-keeping: Persons need to control others’ access
to system and program software so it will be used by
authorized personnel for authorized purposes.
f. Controlling: Errors always occur, and people not
otherwise connected with
 the computer system should be the ones to compare input
control information with output information, provide for
correction of errors not involving system failures, and
distribute output to the people authorized to receive it.

14. What aspects of documentation, file security, and

retention control procedures are unique to computer systems?

Documentation differs significantly as to inclusion of

program flowcharts, program listings, and technical
operating instructions. File security and retention differs
because of the relatively delicate form of the magnetic
media requiring fireproof vault storage, insulation from
other magnetic fields, safeguards from accidental writing on
data files, and so forth.

15. Describe the purposes of computer system documentation.

Why should the auditor review the computer system
documentation?

Auditors review documentation to gain an understanding of

the system and to determine whether the documentation itself
is adequate for helping manage and control the computer
processing.

16. What are responsibilities of the database

administration (DBA) function?

Responsibilities of the database administrator (DBA)

function are:
 • Design the content and organization of the database,
including logical data relationships, physical storage
strategy and access strategy.
• Protect the database and its software, including control
over access to and use of the data and DBMS and provisions
for backup and recovery in the case of errors or destruction
of the database.
• Monitor the performance of the DBMS and improve
efficiency.
• Communicate with the database users, arbitrate disputes
over data ownership and usage, educate users about the DBMS
and consult users when problems arise.
• Provide standards for data definition and usage and
documentation of the database and its software.

17. List the five things a person must have access to in

order to commit a computer fraud.

Five things a person must have access to in order to

facilitate computer fraud are:
a. The computer itself.
b. Data files.
c. Computer programs.
d. System information (documentation).
e. Time and opportunity to convert assets to personal use.

18. Compare the risks associated with network environment

to those associated with centralized IT functions.

Because many companies that operate in a network environment

decentralize
 their network servers across the organization, there is an
increased risk for a lack of security and lack of overall
management of the network operations. The decentralization
may lead to a lack of standardized equipment and procedures.
In many instances responsibility for purchasing equipment
and software, maintenance, administration, and physical
security, often resides with key user groups rather than
with features, including segregation of duties, typically
available in traditionally centralized environments because
of the ready access to software and data by multiple users.

19. In addition to the planning items considered in a

manual accounting system, what additional matters should be
considered when computer processing involved?

Additional planning items that should be considered when

computer processing is involved are:
• The extent to which the computer is used in each
significant accounting application.
• The complexity of the computer operations used by the
entity, including the use of an outside service center.
• The organizational structure of the computer processing
activities.
• The availability of data.
• The computer-assisted audit techniques to increase the
efficiency of audit procedures.
• The need for specialized skills.

20. Describe how the understanding of the control

environment (the organizational structure, methods used to
communicate responsibility and authority, and methods used
to supervise the system) is affected when a computer is used
in data processing.

Understanding the control environment is a part of the

preliminary phase of
control risk assessment. Computer use in data processing
affects this understanding in each of the parts of the
control environment as follows:
The organizational structure – should include an
understanding of the organization of the computer function.
Auditors should obtain and evaluate: (a) a description of
the computer resources and (b) a description of the
organizational structure of computer operations.

Methods used to communicate responsibility and authority

should include the methods related to computer processing.
Auditors should obtain information about the existence of:

(a) accounting and other policy manuals including computer

operations and user manual and (b) formal job descriptions
for computer department personnel. Further, auditors should
gain an understanding of: (a) how the client’s computer
resources are managed, (b) how priorities for resources are
determined and (c) if user departments have a clear
understanding of how they are to comply with computer
related standards and procedures.

Methods used by management to supervise the system should

include procedures management uses to supervise the computer
operations. Items that are of interest to the auditors
include: (a) the existence of systems design and
documentation standards and the extent to which they are
 used, (b) the existence and quality of procedures for
systems and program modification, systems acceptance
approval and output modification, (c) the procedures
limiting access to authorized information, (d) the
availability of financial and other reports and (e) the
existence of an internal audit function.

21. Define an audit trail. How might a computer system

audit trail differ from one in a manual system?

The “audit trail” is the source documents, journal postings

and ledger account postings maintained by a client in order
to keep books. These are a “trail” of the bookkeeping
(transaction data processing) that the auditor can follow
forward with a tracing procedure or back ward with a
vouching procedure. In a manual system this “trail” is
usually visible to the eye with posting references in the
journal and ledger and hard-copy documents in files. But in
a computer system, the posting references may not exist, and
the “records must be read using the computer rather than the
naked eye.” Most systems still have hard-copy papers for
basic documentation, but in some advanced systems even these
might be absent.

22. How is the audit trail changed in advanced computer

systems?

The audit trail (sometimes called “management trail” as it

is used more in daily operations than by auditors) is
composed of all manual and computer records that allow one
to follow the sequence of processing on (or because of) a
transaction.
 The audit trail in advanced systems may not be in a human-
readable form and may exist for only a fraction of a second.
The first control implication is that concern for an audit
trail needs to be recognized at the time a system is
designed. Techniques such as integrated test facility, audit
files and extended records must be specified to the systems
designer. The second control implication is that if the
audit trail exists only momentarily in the form of
transaction logs or master records before destructive
update, the external auditor must review and evaluate the
transaction flow at various times throughout the processing
period. Alternatively, the external auditor can rely more
extensively on the internal auditor to monitor the audit
trail.

23. What are the major characteristics and control problems

in micro-minicomputer installations?

Major characteristics:
1. Staff and location of the computer – operated by small
staff located within
the user department and without physical security.
2. Programs – supplied by computer manufacturers or software
houses.
3. Processing mode – interactive data entry by users with
most of the master file accessible for inquiry and direct
update.
Control Problems:
1. Lack of segregation of duties.
2. Lack of controls on the operating system and application
programs.
 3. Unlimited access to data files and programs.
4. No record of usage.
5. No backup of essential files.
6. No audit trail of processing.
7. No authorization or record of program changes.

24. What is the difference between auditing “through the

computer” and auditing “with the computer?”

Auditing through the computer refers to making use of the

computer itself to test the operative effectiveness of
application controls in the program actually used to process
accounting data. Thus, the term refers only to the proper
study and evaluation of internal control. Auditing with the
computer refers both to the study of internal control (the
same as “auditing through”) and to the use of the computer
to perform audit tasks.

25. What is the difference between the computerized test of

controls audit procedures of test data and parallel
simulation?

Both are audit procedures that use the computer to test

controls that are included in a computer program. The basic
difference is that the test data procedure utilizes the
client’s program with auditor-created transactions, while
parallel simulation utilizes an auditor-created program with
actual client transactions. In the test data procedure, the
results from the client program are compared to the
auditor’s predetermined results to determine whether the
controls work as described. In the parallel simulation
procedures, the results from the auditor program are
 compared to the results from the client program to determine
whether the controls work as described.

26. What is the difference between the test data technique

and the integrated test facility technique?

The test data technique utilizes simulated transactions

created by the auditor, processed by actual programs but at
a time completely separate from the processing of actual,
live transactions. The integrated test facility technique is
an extension of the test data technique, but the simulated
transactions are intermingled with the real transactions and
run on the actual programs
processing actual data.

27. Evaluate the following statement made by client’s data

processing manager: “Who cares if we use identification
numbers and passwords to access the inventory database and
the update programs as long as the computer maintains a
transaction log?

User identification numbers and passwords prevent

unauthorized access to accounting records and application
programs. The transaction log does not prevent unauthorized
access but may be reviewed to detect unauthorized access.
Even then, responsibility could not be traced to a
particular individual without user identification numbers
and passwords. The transaction log is more important to
establish the audit trail than to detect unauthorized
access.
28. What is a generalized audit software?

Generalized audit software is a set of preprogrammed

editing, operating, and output routines that can be called
into use with a simple, limited set of programming
instructions by an auditor who has one- or two-weeks
intensive training

29. What are the phases of developing an application using

generalized audit software? What are the noncomputer
auditor’s responsibilities in each phase?

Phases Noncomputer auditor involvement

1. Define the audit objectively 1. Primary responsibility
2. Feasibility 2. Evaluate alternatives
3. Planning 3. Review with computer auditor
4. Application design 4. none
5. Coding 5. none
6. Testing 6. Review final test results, compare to plan
7. Processing 7. Actual computer processing – none
Use of results – depends on application
8. Evaluation 8. Full responsibility

30. Describe automated workpaper software that can be used

with microcomputers.

Automated microcomputer work paper software generally

consists of trial balance and adjustment worksheets, working
paper (lead schedule) forms, easy facilities for adjusting
journal entries, and electronic spreadsheets for various
analyses.
31. How could microcomputers spreadsheet packages be used
to generate supporting workpapers such as bank
reconciliation that could be used on more than one audit?

A micro computerized electronic spreadsheet can be used

instead of paper and pencil to create the form of a bank
reconciliation, with space provided for text lists of
outstanding items (using the label input capability), and
math formulas inserted for accurate arithmetic in the
reconciliation. Printing such a reconciliation is easy (and
much prettier than most accountants’ handwriting!).

32. Explain how internal controls can be enhanced through

the proper installation of IT.

With either data base or spreadsheet software packages,

macros (sets of instructions) can be developed for
retrieving data from the working trial balance and
converting this data into classified financial statements.
If one or more subsidiaries are to be included, the
consolidated process can also be automated by the inclusion
of special modules designed for that purpose. The standard
audit report, as well as recurring footnotes, can be
included in the data base, and modified to fit the
circumstances of the current year’s audit results.

33. Identify the risks for accounting systems that rely

heavily on IT functions.

Relational data base packages have all the advantages of

spreadsheets, and, in addition, have the capacity to store
and handle larger quantities of data. They are especially
 useful in manipulating large data bases, such as customer
accounts receivable, plant assets, and inventories.

34. Distinguish between general controls and application

controls and give two examples for each.

A general control affects the operation of the whole

computer system whereas an application control only affects
one application. Accounting applications are combinations of
accounts and processes that are linked together. For
example, the Sales/ Customers application would involve the
accounts of sales, debtors, sales returns and cash receipts
as well as their associated documents, procedures and
controls.

35. Which duties should be segregated within the computer

department?

That is, those responsible for duties such as data entry,

support, managing the IT infrastructure and other computer
operations should be segregated from those developing,
writing and maintaining the programs.

36. Describe the typical duties of computer personnel.

Typical duties of personnel:

a. Systems analysis: Personnel will design and direct the

development of new applications.
b. Programming: Other personnel will actually do the
programming dictated by the system design.
c. Operating: Other people will operate the computer during
processing runs, so that programmers and analysts cannot
 interfere with the programs and executed, even if they
produce errors.
d. Converting data: Since this is the place where
misstatements and errors can be made – the interface between
the hardcopy data and the machine-readable transformation,
people unconnected with the computer system
itself do the data conversion. Internal Control in the
Computer Information System 27-3
e. Library-keeping: Persons need to control others’ access
to system and program software so it will be used by
authorized personnel for authorized purposes.
f. Controlling: Errors always occur, and people not
otherwise connected with the computer system should be the
ones to compare input control information with output
information, provide for correction of errors not involving
system failures, and distribute output to the people
authorized to receive it.

37. What aspects of documentation, file security, and

retention control procedures are unique to computer systems?

Documentation differs significantly as to inclusion of

program flowcharts, program listings, and technical
operating instructions. File security and retention differs
because of the relatively delicate form of the magnetic
media requiring fireproof vault storage, insulation from
other magnetic fields, safeguards from accidental writing on
data files, and so forth.

38. Describe the purposes of computer system documentation.

Why should the auditor review the computer system
documentation?
 Auditors review documentation to gain an understanding of
the system and to determine whether the documentation itself
is adequate for helping manage and control the computer
processing.

39. What are responsibilities of the database

administration (DBA) function?

Responsibilities of the database administrator (DBA)

function are:
• Design the content and organization of the database,
including logical data relationships, physical storage
strategy and access strategy.
• Protect the database and its software, including control
over access to and use of the data and DBMS and provisions
for backup and recovery in the case of errors or destruction
of the database.
• Monitor the performance of the DBMS and improve
efficiency.
• Communicate with the database users, arbitrate disputes
over data ownership and usage, educate users about the DBMS
and consult users when problems arise.
• Provide standards for data definition and usage and
documentation of the database and its software.

40. List the five things a person must have access to in

order to commit a computer fraud.

Five things a person must have access to in order to

facilitate computer fraud are:
a. The computer itself.
 b. Data files.
c. Computer programs.
d. System information (documentation).
e. Time and opportunity to convert assets to personal use.

41. Compare the risks associated with network environment

to those associated with centralized IT functions.

Because many companies that operate in a network environment

decentralize their network servers across the organization,
there is an increased risk for a lack of security and lack
of overall management of the network operations. The
decentralization may lead to a lack of standardized
equipment and procedures. In many instances responsibility
for purchasing equipment and software, maintenance,
administration, and physical security, often resides with
key user groups rather than with features, including
segregation of duties, typically available in traditionally
centralized environments because of the ready access to
software and data by multiple users.

PART 2 MULTIPLE CHOICE

1. C
2. A
3. D
4. B
5. D
6. D
7. B
8. B
9. C
10. C
11. C
12. A
13. A
14. A
15. C
16. C
17. C
18. B
19. C
20. C
21. C
22. C
23. A, D
24. A
25. A
26. A
27. C
28. D
29. B
30. D
31. D
32. B
33. A
34. A
35. C
36. C
37. A
38. A
39. C
40. C
PART 3 CASE

The Love Corporation uses an IBM mainframe computer system

with peripheral optical reader and highspeed laser printer
equipment. Transaction information is initially recorded on
paper documents (e.g., Sales invoices) and then read by
optical equipment that produces a magnetic disk containing
the data. These data file disks are processed by a computer
program, and printed listings, journals and general ledger
balances are produced on the high-speed printer equipment.

Explain how the audit standard requiring “adequate technical

training and proficiency” is complied with in the audit of
Love Corporation’s financial statements.

ANSWER:

The audit should be undertaken by a competent professional

in accordance with general standard one; The auditor's
knowledge of the accounting process should be thorough;
Without knowledge, calculating the Risk of Material
Misstatement (ROMM) is difficult; There is a high
probability of accidentally recognizing an Audit Procedure
(AP) level (in the absence of skill); The stated audit
opinion cannot be relied upon (if the auditor is
incompetent); A competent auditor would have determined (as
indicated in the document) that a risk of human error
existed and then scanned. Additionally, since transactions
are handled organically, there is a chance of technological
errors. As a consequence, the auditor should be familiar
with the improved program's technical specifications.