REVIEWER IN AUDIT IN CIS

PSA 401 (MULTIPLE CHOICE) a) Threshold b) Relevance c) Complexity d)

Significance
1. Which statement is incorrect when auditing in a CIS environment?
5. Which of the following least likely indicates a complexity of computer
a) A CIS environment exists when a computer of any type or size is processing?
involved in the processing by the entity of financial information of
significance to the audit, whether that computer is operated by the a) Transactions are exchanged electronically with other organizations
entity or by a third party. without manual review of their propriety.
b) The auditor should consider how a CIS environment affects the b) The volume of the transactions is such that users would find it
audit. difficult to identify and correct errors in processing.
c) The use of a computer changes the processing, storage and c) The computer automatically generates material transactions or
communication of financial information and may affect the entries directly to another applications.
accounting and internal control systems employed by the entity. d) The system generates a daily exception report.
d) A CIS environment changes the overall objective and scope of an
audit. 6. The nature of the risks and the internal characteristics in CIS
environment that the auditors are mostly concerned include the
2. Which of the following standards or group of standards is mostly following except:
affected by a computerized information system environment?
a) Lack of segregation of functions c) Lack of transaction trails.
a) General standards c) Reporting standards b) Dependence of other control over computer processing. d) Cost-
b) Second standard of field work d) Standards of benefit ratio.
fieldwork
7. Which of the following is least likely a risk characteristic associated with
3. Which of the following is least considered if the auditor has to determine CIS environment?
whether specialized CIS skills are needed in an audit?
a) Errors embedded in an application’s program logic maybe difficult to
a) The auditor needs to obtain a sufficient understanding of the manually detect on a timely basis.
accounting and internal control system affected by the CIS b) Many control procedures that would ordinarily be performed by
environment. separate individuals in manual system maybe concentrated in CIS.
b) The auditor needs to determine the effect of the CIS environment on c) The potential unauthorized access to data or to alter them without
the assessment of overall risk and of risk at the account balance visible evidence maybe greater.
and class of transactions level. d) Initiation of changes in the master file is exclusively handled by
c) Design and perform appropriate tests of controls and substantive respective users.
procedures.
d) The need of the auditor to make analytical procedures during the 8. Which of the following significance and complexity of the CIS activities
completion stage of audit. should an auditor least understand?

4. It relates to materiality of the financial statement assertions affected by a) The organizational structure of the client’s CIS activities.
the computer processing. b) Lack of transaction trails.
 REVIEWER IN AUDIT IN CIS
c) The significance and complexity of computer processing in each d) Personal computers can be linked to servers and used as part of
significant accounting application. such systems, for example, as an intelligent on-line workstation or
d) The use of software packages instead of customized software. as part of a distributed accounting system.

9. Which statement is correct regarding personal computer systems? 12. Which of the following is the least likely characteristic of personal
computers?
a) Personal computers or PCs are economical yet powerful self-
contained general purpose computers consisting typically of a a) They are small enough to be transportable.
central processing unit (CPU), memory, monitor, disk drives, printer b) They are relatively expensive.
cables and modems. c) They can be placed in operation quickly.
b) Programs and data are stored only on non-removable storage d) The operating system software is less comprehensive than that
media. found in larger computer environments.
c) Personal computers cannot be used to process accounting
transactions and produce reports that are essential to the 13. Which of the following is an inherent characteristic of software
preparation of financial statements. package?
d) Generally, CIS environments in which personal computers are used a) They are typically used without modifications of the programs.
are the same with other CIS environments.
b) The programs are tailored-made according to the specific needs of
the user.
10. A personal computer can be used in various configurations, including c) They are developed by software manufacturer according to a
particular user’s specifications.
a) A stand-alone workstation operated by a single user or a number of d) It takes a longer time of implementation.
users at different times.
b) A workstation which is part of a local area network of personal 14. Which of the following is not normally a removable storage media?
computers.
a) Compact disk c)Tapes
c) A workstation connected to a server.
b) Diskettes d) Hard disk
d) All of the above.
15. It is a computer program (a block of executable code) that attaches
11. Which statement is incorrect regarding personal computer itself to a legitimate program or data file and uses its as a transport
configurations? mechanism to reproduce itself without the knowledge of the user.
a) Virus c) System management
a) The stand-alone workstation can be operated by a single user or a program
number of users at different times accessing the same or different
b) Utility program d) Encryption
programs.
16. Which statement is incorrect regarding internal control in personal
b) A stand-alone workstation may be referred to as a distributed computer environment?
system.
c) A local area network is an arrangement where two or more personal a) Generally, the CIS environment in which personal computers are
computers are linked together through the use of special software used is less structured than a centrally-controlled CIS environment.
and communication lines.
 REVIEWER IN AUDIT IN CIS
b) Controls over the system development process and operations may d) Segregating data into files organized under separate file directories.
not be viewed by the developer, the user or management as being
as important or cost-effective. 20. It refers to plans made by the entity to obtain access to comparable
hardware, software and data in the event of their failure, loss or
c) In almost all commercially available operating systems, the built-in
destruction.
security provided has gradually increased over the years.
d) In a typical personal computer environment, the distinction between a) Back-up b) Encryption c) Anti-virus d) Wide Area Network
general CIS controls and CIS application controls is easily (WAN)
ascertained.
21. The effect of personal computers on the accounting system and the
17. Personal computers are susceptible to theft, physical damage, associated risks will least likely depend on
unauthorized access or misuse of equipment. Which of the following is
least likely a physical security to restrict access to personal computers a) The extent to which the personal computer is being used to process
when not in use? accounting applications.
b) The type and significance of financial transactions being processed.
a) Using door locks or other security protection during non-business
c) The nature of files and programs utilized in the applications.
hours.
d) The cost of personal computers.
b) Fastening the personal computer to a table using security cables.
c) Locking the personal computer in a protective cabinet or shell. 22. The auditor may often assume that control risk is high in personal
d) Using anti-virus software programs. computer systems since it may not be practicable or cost-effective for
management to implement sufficient controls to reduce the risks of
18. Which of the following is not likely a control over removable storage undetected errors to a minimum level. This least likely entail
media to prevent misplacement, alteration without authorization or
destruction? a) More physical examination and confirmation of assets.
b) More analytical procedures than tests of details.
a) Using cryptography, which is the process of transforming programs
c) Larger sample sizes.
and information into an unintelligible form.
d) Greater use of computer-assisted audit techniques, where
b) Placing responsibility for such media under personnel whose
appropriate.
responsibilities include duties of software custodians or librarians.
c) Using a program and data file check-in and check-out system and 23. Computer systems that enable users to access data and programs
locking the designated storage locations. directly through workstations are referred to as
d) Keeping current copies of diskettes, compact disks or back-up tapes
and hard disks in a fireproof container, either on-site, off-site or both. a) On-line computer systems c) Personal computer systems
19. Which of the following least likely protects critical and sensitive b) Database management systems (DBMS) d) Database systems
information from unauthorized access in a personal computer 24. On-line systems allow users to initiate various functions directly. Such
environment? functions include:
a) Using secret file names and hiding the files. I. Entering transactions III. Requesting reports
b) Keeping of back up copies offsite. II. Making inquiries IV. Updating master files
c) Employing passwords.
 REVIEWER IN AUDIT IN CIS
a) I, II, III and IV c) I and II a) Individual transactions are entered at workstations, validated and
used to update related computer files immediately.
b) I, II and III d) I and IV
b) Individual transactions are entered at a workstation, subjected to
25. Many different types of workstations may be used in on-line computer certain validationchecks and added to a transaction file that contains
systems. The functions performed by these workstations least likely other transactions entered during the period.
depend on their c) Individual transactions immediately update a memo file containing
information which has been extracted from the most recent version
a) Logic b) Transmission c) Storage d) Cost of the master file.
26. Types of workstations include General Purpose Terminals and Special d) The master files are updated by other systems.
Purpose TEST 2: MATCHING TYPE
Terminals. Special Purpose Terminals include
Characteristics of Computer Information Systems (CIS)
a) Basic keyboard and monitor c) Point of sale devices
b) Intelligent terminal d) Personal computers Computer Information systems have essential characteristics that
distinguish them from manual processing systems
27. Special Purpose Terminal used to initiate, validate, record, transmit and
complete various banking transactions  Lack of visible transaction trails

In a manual system, it is normally possible to follow a transaction through

a) Automated teller machines c) Intelligent terminal
the system by examining source documents entity’s records, and financial
b) Point of sale devices d) Personal computers reports. In a CIS environment, data can be entered directly into the
computer system without supporting documents. Furthermore, records and
28. Which statement is incorrect regarding workstations?
files may not be printed and cannot be read without using the computer.
a) Workstations may be located either locally or at remote sites. The absence of these visible documents, supporting the processing of
b) Local workstations are connected directly to the computer through transactions, makes the examination of evidence more difficult.
cables.  Consistency of Performance
c) Remote workstations require the use of telecommunications to link
them to the computer. CIS performs functions exactly as programmed. If the computer is
d) Workstations cannot be used by many users, for different purposes, programmed to perform a specific data processing task, it will never get
in different locations, all at the same time. tired of performing the assigned task in exactly the same manner. Because
of this capability of the computer to process transactions uniformly, clerical
29. On-line computer systems may be classified according to errors that are normally associated with manual processing are eliminated.
On the other hand, an incorrect program could be very devastating
a) How information is entered into the system. because it will result to consistently erroneous data processing.
b) How it is processed.
 Ease of access to Data Computer Programs
c) When the results are available to the user.
d) All of the above. In a CIS environment, data and computer programs may be accessed and
altered by unauthorized persons leaving no visible evidence. It is
30. In an on-line/real time processing system important, therefore that appropriate controls are incorporated to the
 REVIEWER IN AUDIT IN CIS
system to limit the access to data files and programs only to authorized Systems Designs new systems, evaluates and improves existing
personnel. Analyst systems, and prepares specifications for programmers
 Concentration of duties Programmer Guided by the specifications of the systems analyst, the
Proper segregation of duties is an essential characteristics of a sound programmer writes a program, tests and debugs such
internal control system. However, because of the ability of the computer to programs, and prepares the computer operating
process data efficiently, there are functions that are normally segregated in instructions
manual processing that are combined in a CIS environment. Computer Using the program and detailed operating instructions
 Systems generated transactions Operator prepared by the programmer, computer operator
operates the computer to process transactions.
Certain transactions may be initiated by the CIS itself without the need for
an input document. For example, interest may be calculated and charged Data entry Prepares and verifies input data processing
automatically to customers’ account balances on the basis pf pre- Operator
authorized terms contained in a computer program. Maintains custody of systems documentation, programs
Librarian
and files.
 Vulnerability of data and program storage media Control Group Reviews all input procedures, monitors computer
In a manual system, the records are written in ink on substantial paper. processing followups data processing errors, reviews
The only way to lose the information is to lose or to destroy the physical the reasonableness of output, and distributes output to
records. The situation is completely different in a CIS environment. The authorized personnel.
information on the computer can be easily changed, leaving no trace of the
original content. This change could happen inadvertently and huge amount
General Controls - are those policies and procedures that relate to the
of information can be quickly lost.
overall computer information system. These controls include:
 Internal Control in a CIS Environment 1. Organizational controls
Just as in a manual system, there should be a written plan
Many of the control procedures used in manual processing also apply in a of the organization, with clear assignment of authority and
CIS environment. Examples of such control procedures include responsibility. In a CIS environment, the plan of an organization for
authorization of transactions, proper segregation of duties, and an entity’s computer system should include segregation between
independent checking. The elements of internal control are the same; the the user and CIS department, and segregation of duties within the
computer just changes the methods by which these elements are
CIS department.
implemented.
2. Systems development and documentation controls
A variety of controls are performed to check accuracy, completeness, and Software development as well as changes thereof must be
authorization of transactions. When computer processing is used in approved by the appropriate level of management and the user
significant accounting applications, internal control procedures can be department. To ensure that computer programs are functioning as
classified into two types: general and application controls. designed, the program must be tested and modified, if needed, by
Position Primary Responsibilities the user and CIS department.
3. Access Controls
CIS Director Exercises control over the CIS operation Every computer system should have adequate security
controls to protect equipment, files, and programs. Access to the
 REVIEWER IN AUDIT IN CIS
computer should be limited only to operators and other authorized to provide reasonable assurance that data are submitted for
employees. Additionally, appropriate controls, such as the use of processing are complete, properly authorized, and accurately
passwords, must be adopted in order to limit access to data files translated into machine readable form.
and programs only to authorized personnel.
Examples of input controls include:
4. Data recovery controls
One of the characteristics of the CIS is the vulnerability of Field check - This ensures that the input data agree with the required field
files and programs. Computer files can be easily lost and the loss format. For example, all SSS number must contain 10 digits. An input of
of these files can be disastrous to an entity. The survival of an an SSS employee’s number with more or less than ten digits will be
entity affected by such disaster depends on its ability to recover the rejected by the computer.
files on a timely basis.
A data recovery control provides for the maintenance of the Validity check - Information needed are compared with valid information in
back-up files and off-site storage procedures. Computer files the master file to determine the authenticity of the input. For example, the
should be copied daily to tape or disks and secured off-site. In the employee’s master file may contain two valid codes to indicate the
event of disruption, reconstruction of files is achieved by updating employee’s gender “1” for male and “2” for female. A code “3” is considered
the most recent back-up with subsequent transaction data. When invalid and will be ejected by the computer.
magnetic tapes are used, a common practice in file called Grand-
Self-checking digit - This is a mathematically calculated digit which is
father, father, son practice requires an entity to keep the two most
usually added to a document number to detect common transpositional
recent generation of master files and transaction files, in order to
errors in data submitted for processing.
permit reconstruction of master files if needed.
5. Monitoring Controls Limit check - Limit check or reasonable check is designed to ensure that
Monitoring controls are designed to ensure that CIS controls data submitted for processing do not exceed a pre-determined limit or a
are working effectively as planned. These include periodic reasonable amount.
evaluation of the adequacy and effectiveness of the overall CIS Control totals - These are totals computed based on the data submitted
operations, conducted by persons within or outside the entity. for processing. Control totals ensure the completeness of data before and
after they are processed. These controls include financial totals, hash
Application Controls totals, and record counts. As an example, assume the following data
The processing of transaction involves three stages: the regarding the entity’s disbursements for the day
input, processing and output stage. The input stage involves
2. Controls over processing
capturing of a mass data; processing stage involves converting the
mass of raw data into useful information; and output stage involves Processing controls are designed to provide reasonable
preparation of information in a form of useful to those who need to assurance that input data are processed, and that data are not lost,
use it. To ensure that all relevant data are captured as input to the added, excluded, duplicated or improperly changed. Almost all of
system, and to ensure that the data are accurately processed during the input controls that were mentioned earlier are also part of the
their conversion into meaningful information, controls or other processing controls because such controls are usually incorporated
mechanisms must be incorporated into the system. in the client’s computer program to detect errors in processing
transactions.
1. Control over input
A large number of errors in a computer systems are caused
by inaccurate or incomplete data entry. Input controls are designed
 REVIEWER IN AUDIT IN CIS
3. Controls over output entity’s information systems. Some of the commonly used CAATs include
test data, integrated test facility and parallel simulation.
Output controls are designed to provide reasonable
assurance that the results of processing are complete, accurate, and 1. Test data
that these outputs are distributed only to authorized personnel.
The test data technique is primarily designed to test the effectiveness of the
A person who knows what an output should look like must internal control procedures which are incorporated in the client’s computer
review the CIS output for reasonableness. Control totals are program. The objective of the test data technique is to determine whether
compared prior to processing to ensure completeness of information. the client’s computer programs can correctly handle valid and invalid
Finally, CIS outputs must be restricted only to authorized employees conditions as they arise.
who will be using such outputs.
2. Integrated Test Facility (ITF)
Test of controls in a CIS environment
A disadvantage of the test data technique is that the auditor does not have
 Auditing Around the Computer assurance that the program tested is the same program used by the client
throughout the accounting period. In order to overcome this disadvantage,
Auditing around the computer is similar to testing control in the test data technique can be extended to an integrated test facility (ITF)
a manual control structure in that it involves examination of
documents and reports to determine the reliability of the system. 3. Parallel Simulation
When using this approach, the auditor ignores the client’s data
In contrast to the test data and ITF techniques, which requires the auditor
processing procedures, focusing solely on the input documents
to create test inputs (data) and process these data using the client’s
and the CIS output. Input data are simply reconciled with the
computer program, parallel simulation requires the auditor to write a
output to verify the accuracy of processing. Auditing around the
program under review. The simulated program is then used to reprocess
computer is based on the assumption that if the reconciles with the
transactions that were previously processed by the client’s program.
output, then the computer program must have processed the
transaction accurately. Hence, the auditor obtains knowledge The auditor compares the results obtained from the simulation, with the
about the reliability of the system without directly examining the client’s output, to be able to draw conclusion about the reliability of the
computer program of the system. client’s program.
 Computer Assisted Audit Techniques (CAATs) Parallel simulation can be accomplished by using generalized audit
software or purpose written programs. Generalized audit software
When computerized accounting systems perform tasks for consists of generally available computer packages which have been
which no visible evidence is available, it may be impracticable for designed to perform common audit tasks such as performing or verifying
the auditor to test manually. Such is usually the case when the calculations, specified by the auditor. Purpose-written programs on the
entity uses advanced CIS. Consequently, auditor will have to audit other hand, are designed to perform audit tasks in specific
directly the client’s computer program using CAATs. This is called circumstances. These programs may be developed by the auditor, the
“white box approach”. entity being audited, or an outside programmer hired by the auditor.

CAATs are computer programs and data which the auditor uses as part of
the audit procedures to process data of audit significance contained in
 REVIEWER IN AUDIT IN CIS
 Other CAATs

Highly complicated computerized systems sometimes do not retain

permanent audit trails and would require capturing of audit data as
transactions are processed. Under this scenario, the CAATs available to
the auditor may include:

 Snapshots

This technique involves taking a picture of a transactions as it flows through

the computer system systems. Audit software routines are embedded at a
different points in the processing logic to capture the images of the
transaction as it progresses through the various stages of processing.
Such a technique allows an auditor to track data and evaluate the computer
processes applied to the data.

 System control audit review files (SCARF)

This involves embedding audit software modules within an application

system to provide continuous monitoring of the systems transactions. The
information is collected into a special computer file that the auditor can

examine.
 REVIEWER IN AUDIT IN CIS
TEST 3: ILLUSTRATION