SECTION II:

CIS ENVIRONMENTS

Introduction
● General CIS controls that relate to some or all applications are typically interdependent
controls in that their operation is often essential to the effectiveness of CIS application
controls. Accordingly, it may be more efficient to review the design of the general
controls before reviewing the application controls.

● CIS application controls which the auditor may wish to test Include:
○ Manual controls exercised by the user.
○ Controls over system output.
○ Programmed control procedures.

STAND-ALONE PERSONAL COMPUTERS

● A personal computer (PC) can be used in various configurations. These include:
○ A stand-alone workstation operated by a single user or several users at different
times.
○ A workstation which is part of a local area network (LAN) of PCs.
○ A workstation connected to a server.

● In a stand-alone PC environment, it may not be practicable or cost-effective for

management to implement sufficient controls to reduce the risks of undetected error to a
minimum level.

● After obtaining the understanding of the accounting system and control environment, the
auditor may find it more cost-effective not to make a further review of general controls or
application controls but concentrate audit efforts on substantive procedures.

ON-LINE COMPUTER SYSTEMS

● On-line computer systems are computer systems that enable users to access data and
programs directly through terminal devices.

● On-line systems allow users to directly initiate various functions such as:
○ Entering transactions
○ Making Inquiries
○ Requesting reports
○ Updating master files
○ Electronic commerce activities

● Types of terminals used in on-line systems:

○ General purpose terminals
■ Basic keyboard and screen
■ Intelligent terminal
■ PCs
 ○ Special purpose terminals
■ Point-of-sale devices
■ Automated teller machines (ATM)

● Types of on-line computer systems:

○ On-line/ real time processing
■ Individual transactions are entered at terminal devices, validated, and used
to update related computer files Immediately.

○ On-line/batch processing
■ Individual transactions are entered at a terminal device, subjected to
certain validation checks, and added to a transaction file that contains
other transactions entered during the period. Later, during a subsequent
processing cycle, the transaction file may be validated further and then
used to update relevant master files.

○ On-line/Memo update (and subsequent Processing)

■ Combines in-line/ real time and on-line/ batch processing.

■ Individual transactions immediately update a memo file containing

information that has been extracted from the most recent version of the
master file. Inquiries are made from this memo file.

■ These same transactions are added to a transaction file for subsequent

validation and updating of the master file on a batch basis.

■ On-time/ inquiry
● Restricts users at terminal devices to making inquiries of the
master file.

● Master files are updated by other systems, usually on a batch basis.

○ On-line downloading/uploading processing.

■ Online downloading refers to the transfer of data from a master file to an
intelligent terminal device for further processing by a user.

NETWORK ENVIRONMENT
● A network environment is a communication system that enables computer users to share
computer equipment, application software, data, and voice and video transmissions.

● A file server is a computer with an operating system that allows multiple users in a
network to access software applications and data files.
 ● Basic types of networks
○ Local area network (LAN)
○ Wide area network (WAN)
○ Metropolitan area network (MAN)

DATABASE SYSTEMS
● A database is a collection of data that is shared and used by many different users for
different purposes.

● Two components of database systems:

○ Database
○ Database management system (DBMS) - a software that
○ creates, maintains, and operates the database.

● Characteristics of database systems:

○ Data sharing
○ Data independence

TERMINOLOGIES USED IN CIS ENVIRONMENTS

● Computer Hardware - Consists of the configuration of physical electronic equipment.

● Console . A special CRT (Cathode Ray Tube) used for communication between the
operator and the computer.

● Peripheral Equipment - All non-CPU hardware that may be placed under the control of
the processor. This consists of Input. storage, output, and communication devices.

● Controllers - Units designed to operate (control) specific input/output devices.

● Channels - Units designed to handle the transfer of data Into or out of primary storage
(memory).

● Buffer Memory (Buffer) - Temporary storage unit used to hold data during input/output
operations.

● Off-line - Peripheral equipment not in direct communication with the CPU.

● On-line - Peripheral equipment in direct communication with, and under the control of
the CPU.
○
● Input Devices - Provides a means of transferring data into CPU storage.

Note: Types of Input Devices

○ Magnetic tape reader - Capable of sensing information recorded as magnetized

spots on magnetic tape. It is also used as an output device and storage medium.
 ○ Magnetic ink character reader (MICR) - Reads characters by scanning
temporarily magnetized characters using magnetic Ink.

○ Optical character recognition (OCR) - Reads characters directly from

documents based on their shapes and positions on the source document.

○ Cathode ray tube (CRT) - A typewriter-like device that decodes keystrokes into
electronic impulses.

○ Key-to-tope and Key-to-disk - Systems in which input data can be entered

directly onto magnetic tape, magnetic disk, or floppy disk through CRT.

● Storage Devices - Devices which store data that can be subsequently used by the CPU.
A. Random access - data can be accessed directly regardless of how it is physically
stored te.g., magnetic disk).

B. Sequential access - data must be processed in the order in which it is physically

stored (e.g., magnetic tape).

● Output Devices - Produce readable data or machine-readable data when further

processing is required. Examples are CRT. printer, and CRT COM (Computer output to
Microfilm).

● Terminals - CRT devices or microcomputers used for input/output (communication) with

the CPU.

● Point-of-Sale Devices - A terminal connected to a computer. It takes the place of a cash

register or similar devices which allows instant recording and can keep perpetual
inventory.

● Modem - A device for Interfacing communications equipment within communication

networks.

● Software - Consists of computer programs which instruct the computer hardware to

perform the desired processing.

TYPES OF COMPUTER PROGRAMS

● Operating System - Controls the functioning of the CPU and its peripheral equipment.
Several different operating systems allow a single configuration of hardware to function
in the following modes:

○ Multiprogramming - The operating system processes a program until an

input/output operation Is required. Since input or output can be handled by
peripheral devices, such as channels and controllers, the CPU can begin executing
 another program's instructions. Several programs appear to be concurrently
processing

○ Multiprocessing - Multiple CPUs process data while sharing peripheral devices,

allowing two or more programs to be process simultaneously

○ Virtual Storage - The operating system separates user programs into segment
pages automatically. It appears there is unlimited memory available for programs,
even though the program is still confined to a physical segment of memory.

● Utility Program - Performs a commonly required process, such as storing and merging.

● Application Program - Performs the desired processing tasks (e.g., payroll preparation).

● Source Program - Written by a programmer in a source language (e.g., COBOL) that

will be converted into an object program.

● Object Program - Converted source program that was changed using a compiler to
create a set of machine-readable Instructions.

● Compiler - Converts a source program to a machine language object program. .

● Interpreter - Converts each source code instruction to object code each time it is
executed.

● Database Management System (DBMS) - A software package for the purpose of

creating, accessing, and maintaining a database.

● Telecommunications Monitor Program - Provides editing capabilities and file

maintenance to users, monitors on-line terminals, and handies input to application
programs.

● Electronic Data Interchange (EDI) - The electronic exchange of transactions, from one
entity's computer to another entity's computer through an electronic communications
network. In electronic fund transfer (EFT) Systems, for example, electronic transactions
replace checks as a means of payment.

Note: EDI controls include

○ Authentication - controls must exist over the origin, proper submission, and
proper delivery of EDI communications to ensure that the EDI messages are
accurately sent and received to and from authorized customers and suppliers.

○ Encryption - involves conversion of plain text data to cipher text data to make
EDI messages unreadable to unauthorized persons.
 ○ VAN controls - a value added network (VAN) is a computer service organization
that provides network, storage, and forwarding (mailbox) services for EDI
messages.

STAND-ALONE PERSONAL COMPUTERS

ON-LINE COMPUTER SYSTEMS

NETWORK ENVIRONMENT

DATABASE SYSTEMS

TERMINOLOGIES USED IN CIS ENVIRONMENTS

TYPES OF COMPUTER PROGRAMS