[ ]

CORAL | DELOSO | SALANGUIT | YU

 Designed to ensure that the
transactions that bring data into the
system are valid, accurate, and
complete

 Data input procedures can be either:

 Source document-triggered (batch)
 Direct input (real-time)

2
 Source document input requires
human involvement and is prone to
clerical errors.

 Direct input employs real-time editing

techniques to identify and correct
errors immediately

3
4
 Controls in systems using physical
source documents
 Source document fraud
 To control for exposure, control
procedures are needed over
source documents to account for
each one
 Use pre-numbered source
documents
 Use source documents in
sequence
 Periodically audit source
5
documents
 Checks on data integrity during
processing
 Transcription errors
 Addition errors, extra digits
 Truncation errors, digit removed
 Substitution errors, digit replaced
 Transposition errors
 Single transposition: adjacent digits
transposed (reversed)
 Multiple transposition: non-adjacent
digits are transposed
6
 Control = Check digits
 Added to code when created (suffix,
prefix, embedded)
 Sum of digits (ones): transcription
errors only
 Modulus 11: different weights per
column: transposition and
transcription errors
 Introduces storage and processing
inefficiencies
7
Sum of Digits
Sum the specific number of digits are added to get the check digit.
Then the tens column is dropped and the remaining number in the
check digits is added to the code.
Example: Finding the new code for the original code 5372

First sum the digits to get check digit:

5 + 3 + 7 + 2 = 17
Remove the tens column from the check digit: 7
Add the remaining: 53727

Modulus 11
Example: Find the new code for the original code 5372

Step 1. Assign weights – To be multiplied in each digit in the

code. In the given case, weights used are 5,4,3,2
Step 1. Assign weights – To be multiplied in each digit in the
code. In the given case, weights used are 5,4,3,2
Digit Weight
5x5 = 25
3x4 = 12
7x3 = 21
2x2 = 4
Step 2. Sum the products: 25 + 12 + 21 + 4 = 62
Step 3. Divide the sum by the modulus: 62/11 = 5 with a
remainder of 7
Step 4. Subtract the remainder from the modulus to obtain
the check digit = 11 – 7 = 4
Step 5. Add the check digit to the old code: 53724

 Introduces storage and processing inefficiencies

 Method for handling high volumes of
transaction data – esp. paper-fed IS
 Controls of batch continues thru all
phases of system and all processes
(i.e., not JUST an input control)
 All records in the batch are
processed together
 No records are processed more
than once
 An audit trail is maintained from
input to output
 Requires grouping of similar input 10

transactions
 Requires controlling batch throughout
 Batch transmittal sheet
-Next Slide
Contains:
 Unique batch number (serial #)
 A batch date
 A transaction code
 Number of records in the batch
 Total dollar value of financial field
 Sum of unique non-financial field
• Hash total
• E.g., customer number
 Batch control log – Next Slide 11

 Hash totals
 Intended to detect errors in data
before processing
 Most effective if performed close
to the source of the transaction
 Some require referencing a master
file
Validation Controls 3 kinds of systems:
1. Real time processing
2. Batch processing with direct access
master files
3. Batch processing with sequential 14
files
 3 levels of input validation checks
 Field Interrogation
 Missing data checks
 Numeric-alphabetic data checks
 Zero-value checks
 Limit checks
 Range checks
 Validity checks
 Check digit
 Record Interrogation
 Reasonableness checks
 Sign checks
 Sequence checks
 File Interrogation
 Internal label checks (tape) 16
 Version checks
 Expiration date check
 Batch – correct and resubmit
 Controls to make sure errors
dealt with completely and
accurately
1) Immediate Correction
2) Create an Error File
 Reverse the effects of partially
processed, resubmit corrected
records
 Reinsert corrected records in
processing stage where error
was detected
3) Reject the Entire Batch 18
 Centralized procedures to
manage data input for all
transaction processing systems
 Eliminates need to create
redundant routines for each new
application
 Advantages:
 Improves control by having
one common system perform
all data validation
 Ensures each AIS application
applies a consistent standard
of data validation
 Improves systems 19

development efficiency
 Major components:
1) Generalized
Validation Module
2) Validated Data File
3) Error File
4) Error Reports
5) Transaction Log
20
22
 Use batch figures to
monitor the batch as it
moves from one process to
another
1) Recalculate Control
Totals
2) Check Transaction Codes
3) Sequence Checks
23
24
 When operator manually
enters controls into the
system
 Entering control totals for a
batch records, providing
parameter values for logical
operations, and activating a
program from a different
point when reentering semi
processed error records.
 Preference is to derive by 25
logic or provided by system
 Every transaction becomes traceable
from input to output
 Each processing step is documented
 Preservation is key to auditability of
AIS
 Transaction logs
 Log of automatic transactions
 Listing of automatic transactions
 Unique transaction identifiers [s/n]
 Error listing

26
27
 Ensure system output:
1) Not misplaced
2) Not misdirected
3) Not corrupted
4) Privacy policy not violated

29
 Batch systems more susceptible to
exposure, require greater controls
 Controlling Batch Systems Output
 Many steps from printer to end
user
 Data control clerk check point
 Unacceptable printing should be
shredded
 Cost/benefit basis for controls
 Sensitivity of data drives levels of
controls 30
 Output spooling – risks:
 Access the output file and change
critical data values
 Access the file and change the
number of copies to be printed
 Make a copy of the output file so
illegal output can be generated
 Destroy the output file before
printing take place

31
 Operator Intervention:
1) Pausing the print program to
load output paper
2) Entering parameters needed by
the print run
3) Restarting the print run at a
prescribed checkpoint after a
printer malfunction
4) Removing printer output from
the printer for review and
distribution

32
 Print Program Controls

 Production of unauthorized
copies
 Employ output document
controls similar to source
document controls
 Unauthorized browsing of
sensitive data by employees
 Special multi-part paper that
blocks certain fields

33
34
OUTPUT CONTROLS
 Bursting
When output reports are removed from the printer,
they go to the bursting stage to have their pages
separated and collated.
 Supervision

 Waste
 Proper disposal of aborted copies
and carbon copies
OUTPUT CONTROLS
 Data control
 Data control group – is responsible for
verifying the accuracy of computer output
before it is distributed to the users and log
 Report distribution
Techniques:
• The reports may be placed in a secure mailbox to
which only the user has the key.
• The user may be required to appear in person.
• A security officer or special courier may deliver
the report to the user.
OUTPUT CONTROLS
 End user controls
 End user detection

 Report retention:
 Statutory requirements (gov’t)
 Number of copies in existence
 Existence of softcopies (backups)
 Destroyed in a manner consistent
with the sensitivity of its contents
CONTROLLING REAL-TIME SYSTEMS
OUTPUT
 Controlling real-time systems output
 Eliminates intermediaries
 Threats:
 Interception
 Disruption
 Destruction
 Corruption
 Exposures:
 Equipment failure
 Subversive acts
 Systems performance controls (Ch. 2)
 Chain of custody controls (Ch. 5)
 TESTING COMPUTER
APPLICATION CONTROL

Designed to provide information about the

accuracy and completeness of an
application’s processes
Two general approaches:
black box approach: do not rely on detailed
knowledge of application’s internal logic
white box approach: relies on in-depth
understanding of internal logic of application being
tested
Auditing Around the
Computer (BLACK-BOX)

Computer is a “black-box.”
Assumption: If the auditor can show that the
actual outputs are the correct results to be
expected from a set of inputs to the processing
system, then the computer processing must be
functioning in a reliable manner
Involves tracing selected transactions from
source documents to summary accounts and
records, and vice-versa
A “Non-Processing of Data” Method
Auditing Around the
Computer (BLACK-BOX)

 Ignore internal logic of application

 Use functional characteristics
 Flowcharts
 Interview key personnel
 Advantages:
 Do not have to remove application from operations to test it
 Appropriately applied:
 Simple applications
 Relative low level of risk
Auditing Around the
Computer (BLACK-BOX)
Suitable only under the following 3 conditions:
The audit trail is complete and visible
The processing operations are relatively straightforward,
uncomplicated, and low volume
Complete documentation, such as DFDs and Systems
Flowcharts, are available to the auditor
Best suited for independent periodic processing
applications:
cash disbursements
payroll processing
 Limitations is that it does not allow the auditor to determine exactly
how the computer processing programs handle edit checks and
programmed checks
 Auditing Around the
Computer: An Illustration
Exception Report

Master File
Regular Processing
Normal Run Documents, Listings,
Processing Registers, Reports

Regular
Transactions

Auditor
Comparison

Selected
Transactions Predetermined
Audit Test Results

Figure 10-4a
Auditing Through the
Computer (WHITE-BOX)
Should be applied to all complex automated
processing systems
Periodic direct and real-time processing applications where
the audit trail is impaired
Methods include:
Test Data
Integrated Test Facility
Embedded Audit Module Techniques
Program Code Checking
Parallel Processing
Parallel Simulation
Controlled Processing
All auditing-through-the-computer techniques
provide evidence concerning the level of control
risk.
 (WHITE-BOX)
1. Access Test
verify individuals attempting to access a system are
authentic and valid.
1. Validity tests:
System only processes data values that conform to
specified tolerances
Accuracy Tests:
ensure that mathematical calculations are accurate
and posted to the correct accounts.
1. Completeness tests:
Identify missing data (field, records, files)
 (WHITE-BOX)
4) Redundancy tests:
 Process each record exactly once
5) Audit trail tests:
 Ensure application and/or system creates an adequate audit
trail
 Transactions listing
 Error files or reports for all exceptions
6) Rounding error tests:
 “Salami slicing”
 Monitor activities – excessive ones are serious exceptions;
e.g, rounding and thousands of entries into a single account
for $1 or 1¢
Auditing Through the
Computer: An Illustration
Exception
Report
Master File Regular Documents,
Processing Run Listings, Registers,
Normal Processing
Regular Reports
Transactions

Exception
Report
Master File
Regular Audit
Processing Run Summary Results
from Tests Comparison
Audit Test
Transactions
Predetermined
Audit Test
Results

Figure 10-4 b
Examples of Black-box and White-box Approach
Internal Control Auditing Around the Computer
Approach
Credit is approved Select a sample of sales
for sales on transactions from the sales
account journal and obtain the related
customer sales order to
determine that the credit
manager’s initials are present,
indicating approval of sales on
account
Auditing Through the
Computer
Obtain a copy of the client’s
sales application program
and related credit limit
master file and process a
test data sample of sales
transactions to determine
whether the application
software properly rejects
those test sales transactions
that exceed the customer’s
credit limit amount and
accepts all other
transactions.
Examples of Black-box and White-box Approach
Internal Control Auditing Around the Computer Auditing Through the
Approach Computer

Payroll is Select a sample of payroll Create a test data file of

processed only disbursements from the payroll valid and invalid
fro individuals journal and verify by reviewing employee ID numbers
currently human resource department files and process that file
employed that the payee is currently using a controlled copy
employed of the client’s payroll
application program to
determine that all invalid
employee ID numbers
are rejected and that all
valid employee ID
umbers are accepted
[ ]

50
 Used to establish the
application processing
integrity by processing
specially prepared sets of
input data:
Valid & Invalid data
To test every possible:
- Input error
- Logical processes
- Irregularity

51
52
 A version of Test Data method
wherein the set of test data is
Comprehensive
 Repetitive testing throughout
SDLC = consistent and valid
results
 When application is modified,
subsequent test (new) results
can be compared with base
case result

53
 Test data technique that takes step-
by-step walk through application
1) The trace option must be enabled
for the application
2) Specific data or types of
transactions are created as test
data
3) Test data is “traced” through all
processing steps of the application,
and a listing is produced of all lines
of code as executed (variables,
results, etc.)

54
55
1) They employ white box
approach, thus providing
explicit evidence
2) Can be employed with
minimal disruption to
operations
3) They require minimal
computer expertise on the
part of the auditors

56
1) Auditors must rely on IS
personnel to obtain a copy of
the application for testing
2) Provides static picture of
application integrity
3) Relatively high cost to
implement = auditing
inefficiency

57
 ITF is an automated technique that
allows auditors to test logic and
controls during normal operations

1) Set up a dummy entity within the

application system
2) System able to discriminate
between ITF audit module
transactions and routine
transactions
3) Auditor analyzes ITF results
against expected results
58
59
 Auditor writes or obtains a copy of the
program that simulates key features or
processes to be reviewed / tested
1) Auditor gains a thorough
understanding of the application
under review
2) Auditor identifies those processes
and controls critical to the
application
3) Auditor creates the simulation using
program or Generalized Audit
Software (GAS)
4) Auditor runs the simulated program
using selected data and files
5) Auditor evaluates results and
reconciles differences

60
 Production
Transactions Master File

Auditor prepares a
Program to Simulate All Auditor-prepared Client Application
or Part of a Client’s Program System Program
Application System

Auditor Client
Results Results

Auditor makes
comparisons between
Client’s application system
output and the Auditor-
prepared Program Output
61
62