A CIS Environment exists when a computer of any

type or size is involved in the processing by the entity of financial information of significance to the
audit, whether that computer is operated by the entity or by a third party.

Note: The overall objective and scope of an audit does not change in a CIS Environment.

A CIS Environment may affect:

a. The procedures followed in obtaining a sufficient understanding of the accounting and

internal control systems.

b. The consideration of the inherent and control risk.

c. The design and performance of tests of controls and substantive procedures.

The auditor should have sufficient knowledge of the CIS to plan, direct, and review the work performed.

In planning the portions of the audit which may be affected by the client’s CIS environment, the auditor
should obtain an understanding of the significance and complexity of the CIS activities and the

availability of the data for use in the audit.

An entity’s management is ultimately responsible for designing and implementing systems that will

provide reasonable assurance that the entity’s objective will be achieve.

Components of CIS

1. Hardware – consists of the computer and all other physical equipment

2. Software – consists of computer program

Characteristics of a CIS Organizational Structure

1. Concentration of functions and knowledge

Although most systems employing CIS methods will include certain manual operations, generally the
number of persons involved in the processing of financial information is significantly reduced.

2. Concentration of programs and data -Transaction and master file data are often concentrated, usually
in machine-readable form, either in one computer installation located centrally or in a number of
installations distributed throughout the entity.

Nature of Processing

The use of computers may result in the design of systems that provide less visible evidence than those

using manual procedures. In addition, these systems may be accessible by a larger number of persons.

Systems characteristics that may result from the nature of CIS processing

1. Absence of input documents -Data may be entered directly into the computer without supporting
document. In some on-line transaction systems, written evidence of individual data entry authorization
(e.g., approval for order entry) may nr replaced by other procedures, such as authorization controls
contained in computer programs (e.g., credit limit approval).

2. Lack of visible audit trail

The transaction trail may be partly in machine-readable form and may exist only for a limited period of
time (e.g., audit logs may be set to overtime themselves after a period of time or when the allocated
disk space is consumed).

3. Lack of visible output

Certain transactions or results of processing may not be printed, or only a summary data may be
printed.

4. Ease of access to data and computer programs

Data and computer programs may be accessed and altered at the computer or through the use of
computer equipment at remote locations. Therefore, in the absence of appropriate controls, there is an
increased potential for unauthorized access to, and alteration of, data and programs by persons inside
or outside the entity

Design and Procedural Aspects

The development of CIS will generally result in design and procedural characteristics that are different
from those found in manual systems.

These include:

1. Consistency of performance

CIS perform functions exactly as programmed and are potentially more reliable than manual systems,
provided that all transaction types and conditions that could occur are anticipated and incorporated into

the system. On the other hand, a computer program that is not correctly programmed and tested may
consistently process transactions or other data erroneously.

2. Programmed control procedures

The nature f computer processing allows the design of internal control procedures in computer
programs.

3. Single transaction update of multiple or data base computer files. A single input to the accounting
system may automatically update all records associated with the transaction.

4. Systems generated transactions

Certain transactions may be initiated by the CIS itself without the need for an input

document

5. Vulnerability of data and program storage media

Large volumes of data and computer programs used to process such data may be stored on a portable
or fixed storage media, such as magnetic disks and tapes. These media are vulnerable to theft, loss, or
intentional or accidental destruction.

9.1 INTERNAL CONTROLS IN A CIS ENVIRONMENT

1. GENERAL CIS CONTROLS – to establish a framework of overall control over the CIS activities and to
provide a reasonable level of assurance that the overall objectives of internal control are achieved.

a. Organization and management controls –designed to define the strategic direction and establish an
organizational framework over CIS activities.Segregation between the CIS department and user
department

b. Development and maintenance control –designed to provide reasonable assurance that systems are
developed or acquired, or maintained in an authorized and efficient manner.

c. Delivery and support controls – designed to control the delivery of CIS services.

d. Monitoring controls – designed to ensure that CIS controls are working effectively as

planned.

Position Primary Responsibility

1. CIS Director Exercises control over the CIS operation.

2. Systems Analyst Designs new systems, evaluates and improves existing systems,

and prepares specifications for programmers.

3. Programmer Guided by the specifications of the systems analyst, the programmer writes a program,
tests and debugs such programs, and

prepares the computer operating instructions.

4. Computer Operator Using the program and detailed operating instructions prepared

by the programmer; operates the computer to process the transactions.

5. Data Entry Operator Prepares and verifies input data for processing.

6. Librarian Maintains custody of systems documentation, programs and

files.

7. Control Group Reviews all input procedures, monitors computer processing,

follows-up data processing errors, reviews the reasonableness of

output, and distributes output to authorized personnel.