Review of General CIS Controls – The general CIS controls which the auditor may wish to test are described above. The auditor should consider how these general CIS controls affect the CIS applications significant to the audit. General CIS controls that relate to some or all applications are typically inter-dependent controls in their operation is often essential to the effectiveness of CIS application controls. Accordingly, it may be more efficient to review the design of the general controls before reviewing the application controls.
Review of CIS Application Controls – Control over input, processing, data files and output may be carried out by CIS personnel, by users of the system, by a separate control group, or may be programmed into application software, CIS application controls which the auditor may wish to test include:
- Manual controls exercised by the user—if manual controls exercised by the user of the application system are capable of providing reasonable assurance that the systems’ output is complete, accurate and authorized, the auditor may decide to limit tests of control to these manual controls (e.g. the manual controls exercised by the user over a computerized payroll system for salaried
employees could include an anticipatory input control total for gross pay, the test checking of net salary output computations, the approval of the payments and transfer of funds, comparison to payroll register amounts, and prompt bank reconciliation). In this case, the auditor may wish to test only the manual controls exercised by the user. - Controls over system output—if, in addition to manual controls exercised by the user, the controls to be tested use information produced by the computer or are contained within computer programs, it may be possible to test such controls by examining the system’s output using either manual or computer-assisted audit techniques. Such output may be in the form of magnetic media,, microfilm or printouts (e.g. the auditor may test controls exercised by the entity over the reconciliation of report totals to the general ledger control accounts and may perform manual tests of those reconciliations). Alternatively, where the reconciliation is performed by computer, the auditor may wish to test the reconciliation by reperforming the control with the use of computerassisted audit techniques
- Programmed control procedures—in the case of certain computer systems, the auditor may find that it is not possible or, in some cases, not practical to test controls by examining only user controls or the system’s output (e.g. in an application that does not provide printouts of critical approvals or overrides to normal policies, the auditor may want to test control procedures
contained within the application program). The auditor may consider performing tests of control by using computer-assisted audit techniques, such as test data, reprocessing transactions data or, in unusual situations, examining the coding of the application program.
Evaluation – The general CIS controls may have a pervasive effect on the processing of transactions in application systems. If these controls are not effective, there may be a risk that misstatements might occur and go undetected in the application systems. Thus, weaknesses in general CIS controls may preclude testing certain CIS application controls; however, manual procedures exercised by users may provide effective control at the application level.
