Review of General CIS Controls – The general CIS controls which the auditor may wish to test are described above. The auditor should consider how these general CIS controls affect the CIS applications significant to the audit. General CIS controls that relate to some or all applications are typically inter-dependent controls in their operation is often essential to the effectiveness of CIS application controls. Accordingly, it may be more efficient to review the design of the general controls before reviewing the application controls.
Review of CIS Application Controls – Control over input, processing, data files and output may be carried out CIS personnel, users of the system, a separate control group, or may be programmed into application software, CIS application controls which the auditor may wish to test include:
- Manual controls exercised the user—if manual controls exercised the user of the application system are capable of providing reasonable assurance that the systems’ output is complete, accurate and authorized, the auditor may decide to limit tests of control to these manual controls (e.g. the manual controls exercised the user over a computerized payroll system for salaried employees could include an anticipatory input control total for gross pay, the test checking of net salary output computations, the approval of the payments and transfer of funds, comparison to payroll register amounts, and prompt bank reconciliation). In this case, the auditor may wish to test only the manual controls exercised the user.
- Controls over system output—if, in addition to manual controls exercised the user, the controls to be tested use information produced the computer or are contained within computer programs, it may be possible to test such controls examining the system’s output using either manual or computer-assisted audit techniques. Such output may be in the form of magnetic media,, microfilm or printouts (e.g. the auditor may test controls exercised the entity over the reconciliation of report totals to the general ledger control accounts and may perform manual tests of those reconciliations). Alternatively, where the reconciliation is performed computer, the auditor may wish to test the reconciliation reperforming the control with the use of computerassisted audit techniques
- Programmed control procedures—in the case of certain computer systems, the auditor may find that it is not possible or, in some cases, not practical to test controls examining only user controls or the system’s output (e.g. in an application that does not provide printouts of critical approvals or overrides to normal policies, the auditor may want to test control procedures contained within the application program). The auditor may consider performing tests of control using computer-assisted audit techniques, such as test data, reprocessing transactions data or, in unusual situations, examining the coding of the application program.
Evaluation – The general CIS controls may have a pervasive effect on the processing of transactions in application systems. If these controls are not effective, there may be a risk that misstatements might occur and go undetected in the application systems. Thus, weaknesses in general CIS controls may preclude testing certain CIS application controls; however, manual procedures exercised users may provide effective control at the application level.