PROCESSING INTEGRITY

• COBIT control objective DS 11.1 addresses the need for controls over the input, processing, and
output of data.

• Identifies six categories of controls that can be used to satisfy that objective.

• Six categories are grouped into three for discussion.

• Three categories/groups of integrity controls are designed to meet the preceding objectives:

• Input controls

If the data entered into a system is inaccurate or incomplete, the output will be, too.
(Garbage in  garbage out.)

Companies must establish control procedures to ensure that all source documents are
authorized, accurate, complete, properly accounted for, and entered into the system or
sent to their intended destination in a timely manner.

The following input controls regulate integrity of input:

1. Forms design ---- source documents and other forms should be designed to help
ensure that errors and omissions are minimized.
a. Pre-numbered forms sequence test
Pre-numbering helps verify that no items are missing.
When sequentially pre-numbered input documents are used, the
system should be programmed to identify and report missing or
duplicate form numbers.

b. Turnaround documents

Documents sent to external parties that are prepared in machine-

readable form to facilitate their subsequent processing as input
records.
Example: the stub that is returned by a customer when paying
utility bills are more accurate than manually-prepared input
records.
2. Cancellation and storage of documents
Documents that have been entered should be canceled
Paper documents are stamped “paid” or otherwise defaced
A flag field is set on electronic documents.
Canceling documents does not mean destroying documents.
They should be retained as long as needed to satisfy legal and
regulatory requirements.
3. Authorization and segregation of duties
Source documents should be prepared only by authorized personnel acting
within their authority.
Employees who authorize documents should not be assigned incompatible
functions.
4. Visual scanning------Documents should be scanned for reasonableness and
propriety.
5. Data Entry Controls
Once data is collected, data entry control procedures are needed to ensure that
it’s entered correctly. Common tests to validate input include:
a) Field check
Determines if the characters in a field are of the proper type.
Example: The characters in a social security field should all be
numeric.
b) Sign check
Determines if the data in a field have the appropriate arithmetic
sign.
Example: The number of hours a student is enrolled in during a
semester could not be a negative number.
c) Limit check
Tests whether an amount exceeds a predetermined value.
Example: A university might use a limit check to make sure that
the hours a student is enrolled in do not exceed 21.
d) Range check
Similar to a field check, but it checks both ends of a range.
Example: Perhaps a wage rate is checked to ensure that it does
not exceed $15 and is not lower than the minimum wage rate.
e) Size (or capacity) check
Ensures that the data will fit into the assigned field.
Example: A social security number of 10 digits would not fit in
the 9-digit social security field.
f) Completeness check
Determines if all required items have been entered.
Example: Has the student’s billing address been entered along
with enrollment details?
g) Validity check
Compares the value entered to a file of acceptable values.
Example: Does the state code entered for an address match one
of the 50 valid state codes?
h) Reasonableness test
Determines whether a logical relationship seems to be
correct.
 Example: A freshman with annual financial aid of $60,000 is
probably not reasonable.

i) Check digit verification

An additional digit called a check digit can be appended to
account numbers, policy numbers, ID numbers, etc.
Data entry devices then perform check digit verification by
using the original digits in the number to recalculate the
check digit.
If the recalculated check digit does not match the digit
recorded on the source document that result suggests that
an error was made in recording or entering the number.

• The preceding tests are used for batch processing and online real-time processing.

• Both processing approaches also have some additional controls that are unique to each
approach.

• Additional Batch Processing Data Entry Controls

In addition to the preceding controls, when using batch processing, the following data entry
controls should be incorporated:

1. Sequence check --Tests whether the data is in the proper numerical or alphabetical sequence.

2. Error log--Records information about data input or processing errors (when they occurred,
cause, when they were corrected and resubmitted).

Errors should be investigated, corrected, and resubmitted on a timely basis

(usually with the next batch) and subjected to the same input validation
routines.
The log should be reviewed periodically to ensure that all errors have been
corrected and then used to prepare an error report, summarizing errors by
record type, error type, cause, and disposition.

3. Batch totals

Summarize key values for a batch of input records. Commonly used batch totals include:

i. Financial totals—sums of fields that contain dollar values, such as total sales.
ii. Hash totals—sums of nonfinancial fields, such as the sum of all social security
numbers of employees being paid.
iii. Record count—count of the number of records in a batch.
 These batch totals are calculated and recorded when data is entered and used later to
verify that all input was processed correctly.

• Processing controls

• Processing controls to ensure that data is processed correctly include:

• Data matching

Two or more items must match before processing can proceed.

Example: The quantity billed on the vendor invoice must match the
quantity ordered on the purchase order and the quantity received on
the receiving report.

• File labels

External labels should be checked visually to ensure the correct and

most current files are being updated.
There are also two important types of internal labels to be checked.
The header record, located at the beginning of each file, contains the
file name, expiration date, and other identification data.
The trailer record at the end of the file contains the batch totals
calculated during input.

• Recalculation of batch totals

Batch totals should be recomputed as processing takes place.

These totals should be compared to the totals in the trailer record.
Discrepancies indicate processing errors, such as:
a. If the recomputed record count is smaller than the original
count, one or more records were not processed.
b. If the recomputed record count is larger than the original, then
additional unauthorized transactions were processed or some
authorized transactions were processed twice.
c. If the discrepancy between totals is evenly divisible by 9, there
was probably a transposition error (two adjacent digits were
reversed).

• Cross-footing balance test

Compares arithmetic results produced by two different methods to

verify accuracy.
EXAMPLE: Compute the sum of column totals in a spreadsheet and
compare it to a sum of the row totals.
 • Write-protection mechanisms

Protect against accidental writing over or erasing of data files but are
not foolproof.

• Database processing integrity procedures

Database systems use database administrators, data dictionaries, and

concurrent update controls to ensure processing integrity.
The administrator establishes and enforces procedures for accessing
and updating the database.
The data dictionary ensures that data items are defined and used
consistently.
Concurrent update controls protect records from being updated by two
users simultaneously.
Locks one user out until the other has finished processing.

• Output controls

• Careful checking of system output provides additional control over processing integrity.

• Output controls include:

• User review of output

Users carefully examine output for reasonableness, completeness, and

to assure they are the intended recipient.

• Reconciliation procedures

Periodically, all transactions and other system updates should be

reconciled to control reports, file status/update reports, or other
control mechanisms.
Control accounts should also be reconciled to subsidiary account totals.

• External data reconciliation

Database totals should periodically be reconciled with data maintained

outside the system.
EXAMPLE: Compare number of employee records in the payroll file to
number in the human resources file. (Excess records in payroll suggests
a “ghost” employee.)
• In addition to using encryption to protect the confidentiality of information being
transmitted, organizations need controls to minimize the risk of data transmission
errors.
• When the receiving unit detects a data transmission error, it asks the sending unit to re-
send. Usually done automatically.
• Sometimes, the system may not be able to accomplish automatic resubmission and will
ask the sender to re-transmit the data.
• Two basic types of data transmission controls:
1. Parity checking
 Computers represent characters as a set of binary digits (bits).
 For example, “5” is represented by the seven-bit pattern 0000101.
 When data are transmitted some bits may be lost or received
incorrectly.
 Two basic schemes to detect these events are referred to as even parity
and odd parity.
 In either case, an additional bit is added to the digit being transmitted.
 In even parity, the parity bit is set so that each character has an even
number of bits with the value 1.
 In odd parity, the objective is that an odd number of bits should have
the value 1.
 The pattern for 5 is 0000101. This pattern has two bits (an even
number) with a value of 1. Therefore, the parity bit that is added would
be zero if we were using even parity and 1 if we were using odd parity.
 The receiving device performs parity checking to verify that the proper
number of bits set to one in each character received.
 Additional accuracy can be achieved with more complex parity schemes

2. Message acknowledgment techniques

 A number of message acknowledgment techniques can be used to let
the sender of an electronic message know that a message was received:
 When data are transmitted, the system calculates a summary
statistic such as the number of bits in the message.
 The receiving unit performs the same calculation (an “echo check”)
and sends the result to the sending unit.
 If the counts match, the transmission is presumed accurate.
AVAILABILITY CONTROLS
• Reliable systems are available for use whenever needed.

• Threats to system availability originate from many sources, including:

– Hardware and software failures

– Natural and man-made disasters

– Human error

– Worms and viruses

– Denial-of-service attacks and other sabotage

• Proper controls can minimize the risk of significant system downtime caused by the preceding
threats.

• It is impossible to totally eliminate all threats.

• Consequently, organizations must develop disaster recovery and business continuity plans to
enable them to quickly resume normal operations after such an event.

• Minimizing Risk of System Downtime

– Loss of system availability can cause significant financial losses, especially if the system
affected is essential to e-commerce.

– Organizations can take a variety of steps to minimize the risk of system downtime.

• Physical and logical access controls (Chapter 7) can reduce the risk of successful
denial-of-service attacks.

• Good information security reduces risk of theft or sabotage of IS resources.

– COBIT control objective DS 13.5 identifies the need for preventive maintenance.
Examples:

• Cleaning disk drivers

• Properly storing magnetic and optical media

– Use of redundant components can provide fault tolerance, which enables the system to
continue functioning despite failure of a component. Examples of redundant
components:

• Dual processors
 • Arrays of multiple hard drives.

• COBIT control objectives DS 12.1 and 12.4 address the importance of proper location and design
of rooms housing mission-critical servers and databases.

– Raised floors protect from flood damage.

– Fire protection and suppression devices reduce likelihood of fire damage.

– Adequate air conditioning reduces likelihood of damage from over-heating or humidity.

– Cables with special plugs that cannot be easily removed reduce risk of damage due to
accidentally unplugging.

– An uninterruptible power supply (UPS) provides protection from a prolonged power

outage and buys the system enough time to back up critical data and shut down safely.

• Training is especially important.

– Well-trained operators are less likely to make mistakes and more able to recover if they
do.

– Security awareness training, particularly concerning safe email and Web-browsing

practices, can reduce risk of virus and worm infection.

• Anti-virus software should be installed, run, and kept current.

• Email should be scanned for viruses at both the server and desktop levels.

• Newly acquired software and disks, CDs, or DVDs should be scanned and tested first on a
machine that is isolated from the main network.

• Disaster Recovery and Business Continuity Planning

– Disaster recovery and business continuity plans are essential if an organization hopes to
survive a major catastrophe.

– Being without an IS for even a short period of time can be quite costly—some report as
high as half a million dollars per hour.

– Yet many large U.S. companies do not have adequate disaster recovery and business
continuity plans.

• The objectives of a disaster recovery and business continuity plan are to:

1. Minimize the extent of the disruption, damage, and loss

2. Temporarily establish an alternative means of processing information

 3. Resume normal operations as soon as possible

4. Train and familiarize personnel with emergency operations

• Key components of effective disaster recovery and business continuity plans include:

1. Data Backup Procedures

• Data need to be backed up regularly and frequently.
• A backup is an exact copy of the most current version of a database. It is
intended for use in the event of a hardware or software failure.
• The process of installing the backup copy for use is called restoration.
2. Infrastructure Replacement
• Major disasters can totally destroy an organization’s information processing
center or make it inaccessible.
• A key component of disaster recovery and business continuity plans
incorporates provisions for replacing the necessary computing infrastructure,
including:
1. Computers
2. Network equipment and access
3. Telephone lines
4. Office equipment
5. Supplies
• It may even be necessary to hire temporary staff.
3. Documentation
• An important and often overlooked component. Should include:
1. The disaster recovery plan itself, including instructions for notifying
appropriate staff and the steps to resume operation, needs to be well
documented.
2. Assignment of responsibility for the various activities.
3. Vendor documentation of hardware and software.
4. Documentation of modifications made to the default configuration (so
replacement will have the same functionality).
5. Detailed operating instructions.
• Copies of all documentation should be stored both on-site and off-site.
4. Testing
• Periodic testing and revision is probably the most important component of
effective disaster recovery and business continuity plans.
• Most plans fail their initial test, because it’s impossible to anticipate everything
that could go wrong.
• The time to discover these problems is before the actual emergency and in a
setting where the weaknesses can be carefully analyzed and appropriate
changes made.
 5. Insurance
• Organizations should acquire adequate insurance coverage to defray part or all
of the expenses associated with implementing their disaster recovery and
business continuity plans.

Chapter 11 AUDITING COMPUTER-BASED INFORMATION SYSTEMS

The Nature of Auditing

Overview of the Process
All audits follow a similar sequence of activities. Audits may be divided into four stages:
planning, collecting evidence, evaluating evidence, and communicating audit results.
• Audit planning
Audit planning determines why, how, when and by whom the audit will be performed.
The first step is to establish the audit's scope and objectives. An audit team with the
necessary experience and expertise is formed. They become familiar with the audited by
conferring with supervisory and operating personnel, reviewing system documentation,
and reviewing prior audit findings. An audit is planned so the greatest amount of audit
work focuses on the areas with the highest risk factors.
• Collection of audit evidence
Most audit effort is spent collecting evidence. Because many audit tests cannot be
performed on a sample basis. Some of the most common ways to collect audit evidence
are: (1) observation of the activities being audited; (2) review not documentation to
understand how a particular process or internal control system is supposed to function;
(3) discussions with employees about their jobs an about how the carry out certain
procedures; (4) questionnaires that gather data; and (5) physical examination of the
quantity and/or condition of tangible assets, such as equipment and inventory.
• Evaluation of audit evidence
The auditor evaluates the evidence gathered and decides whether it supports a
favorable or unfavorable conclusion. If inconclusive, the auditor performs sufficient
additional procedures to reach a definitive conclusion. Because errors exist in most
systems, auditors focus on detecting and reporting those that significantly impact
management's interpretation of the audit findings. Using professional judgement,
materiality in the audit evidence is determined.
In all audit stages, findings and conclusions are documented in audit working papers.
Documentation is especially important at the evaluation stage, when conclusion must
be reached and supported.
• Communication of audit results
The auditor submits a written report summarizing audit findings and recommendations
to management, the audit committee, the board of directors, and other appropriate
parties. Afterwards, auditors often do a follow-up study to ascertain whether
recommendations were implemented.
Risk-Based Audit Approach
1. Determine the threats (frauds and errors) facing the company.
2. Identify the control procedures that prevent, detect, or correct the threats.
3. Evaluate control procedures.
• Systems review
• Tests of controls
4. Evaluate control weaknesses to determine their effect on the nature, timing, or
extent of auditing procedures.
Information Systems Audits
The purpose of an information systems audit is to review and evaluate the internal
controls that protect the system. When performing an information systems audit,
auditors should ascertain that the six objectives are met.

1. Overall Security
Security provisions protect computer equipment, programs, communications, and data
from unauthorized access, modification, or destruction. Overal system security threats
include accidental or intentional damage to system assets; unauthorized access,
disclosure, modification of data and programs; theft; and interruption of crucial
business activities.
2. Program Development and Acquisition
The auditor's role in systems development should be limited to an independent review
of systems development activities. To maintain objectivity, auditors should not help
develop the system.
Two things can go wrong in program development: (1) inadvertent programming errors
due to misunderstanding system specifications or careless programming and (2)
unauthorized instructions deliberately inserted into the programs. These problems can
be controlled by requiring management and user authorization and approval, thorough
testing, and proper documentation.
3. Program Modification
The same threats that occur during program development occur during program
modification. When a program changes is submitted for approval, a list of all required
updates should be compiled and approved by management and program users. All
program changes should be tested and documented. During the change process, the
development al program must be kept separate from the product version. After the
modified program is approved, the production version replaces the developmental
version.
4. Computer Processing
During computer processing, the system may fail to detect erroneous input, improperly
correct input errors, process erroneous input, or improperly distribute or disclose
output. Auditors periodically reevaluate processing controls to ensure their continued
reliability. If they are unsatisfactory, user and source data controls may be strong
enough to compensate. If not, a material weakness exists, and steps should be taken to
eliminate the control deficiencies.
5. Source Data
An input controls matrix is used to document the review of source data controls. The
matrix shows the control procedures applied to input record field.
The data control function should be independent of other functions, maintain a data
control log, handle errors, and ensure the overall efficiency of operations. It is usually
not economically feasible for small businesses to have an independent data control
function. To compensate, user department controls must be stronger with respect to
data preparation, batch control totals, edit programs, restrictions on physical and logical
access, and error-handling procedures. These procedures should be the focus of the
auditor's systems review and tests of controls when there is no independent data
control function.
6. Data Files
The sixth objective concerns the accuracy, integrity, and security of data stored on
machine-readable files. If file controls are seriously deficient, especially with respect to
physical or logical access or to backup and recovery procedures, the auditor should
recommend they be rectified.
Audit Software
Computer-assisted audit techniques (CAATs) refer to audit software, often called
generalized audit software (GAS), that uses auditor-supplied specifications to generate a
program that performs audit functions, thereby automating or simplifying the audit
process. Two of the most popular software packages are Audit Control Language (ACL)
and Interactive Data Extraction and Analysis (IDEA). CAATs is ideally suited for examining
large data files to identify records needing further audit scrutiny.
As an example, a new tax collector in a small New England town requested a tax audit.
Using CAATs, the auditor assessed tax collection records for the previous 4 years, sorted
them by date, summed collections by month, and created a report of monthly tax
collections. The analysis revealed that collections during January and July, the two
busiest months, had declined by 58% and 72%, respectively. Auditors then used CAATs
to compare each tax collection record with property records. They identified several
discrepancies, including one committed by the former tax collector, who used another
taxpayer's payment to cover her own delinquent tax bills. The former tax collector was
arrested by embezzlement.

Operational Audits of an AIS

The techniques and procedures used in operational audits are similar to audits of
information systems and financial statements. The basic difference is audit scope. An
information systems audit is confirmed to internal controls and financial audit to
systems output, whereas an operational audit encompasses all aspects of systems
management. In addition, objectives of an operational audit include evaluating
effectiveness, efficiency, and goal achievement.
The first step in an operational audit is planning, during which the scope and objective
of the audit are established, a preliminary system review is performed, and a tentative
audit program is prepared. The next step is evidence collection. At the evidence
evaluation stage, the auditor measures the system against one that follows the best
systems management principles. Auditors document their findings and conclusions and
communicate them to management.
The ideal operational auditor has audit training and experience as well as a few years
experience in a managerial position. Auditors with strong auditing backgrounds but
weak management experience often lack the perspective necessary to understand the
management process.