Computer-Assisted Audit Tools

and Techniques
APPLICATION CONTROLS

Application controls are programmed procedures designed to deal with potential exposures that
threaten specific applications, such as payroll, purchases, and cash disbursements systems.

Application controls fall into three broad categories:

1. input controls
2. processing controls, and
3. output controls

Input Controls

are designed to ensure that these transactions are valid, accurate, and complete.

• Data input procedures can be either:

- source document-triggered (batch)

- direct input (real time).

Classes of Input Controls

1. Source document controls

- Controls in systems using physical source documents
- Source document fraud
- To control for exposure , control procedures are needed over source documents to
account for each one
- Use pre-numbered source documents
- Use source documents in sequence
- Periodically audit source documents
2. Data coding controls

- Checks on data integrity during processing

-Transcription errors

 Addition errors - extra digits

 Truncation errors – digit removed
 Substitution errors – digit replaced
-Check digits
-Added to code when created ( suffix , prefix , embedded)
 Sum of digits - transcription errors only
 Modulus 11 : different weights per column – transposition and
transcription errors
 -Introduces storage and processing inefficiencies
3. Batch controls

-are an effective method of managing high volumes of transaction data through a

system. The objective of batch control is to reconcile output produced by the system with the
input originally entered into the system. This provides assurance that:

• All records in the batch are processed.

• No records are processed more than once.
• An audit trail of transactions is created from input through processing to the output
stage of the system.

The batch transmittal sheet captures relevant information such as the following about
the batch.
• A unique batch number
• A batch date
• A transaction code (indicating the type of transactions, such as a sales order or cash
receipt)
• The number of records in the batch (record count)
• The total dollar value of a financial field (batch control total)
• The total of a unique nonfinancial field (hash total)

4. Validation controls
-Intended to detect errors in data before processing
-Most effective if performed close to the source of the transaction
-Some require referencing a master file

Field interrogation Record File Interrogation

Interrogation
-Missing data checks -Reasonableness -Internal label checks
-Numeric- alphabetic data checks checks (tape)
-Zero – Value checks -Sign checks -Version checks
-Limit checks -Sequence -Expiration date check
-Range checks checks
-Validity Checks
-Check digit

5. Input error correction

-When errors are detected in a batch, they must be corrected and the records
resubmitted for reprocessing. This must be a controlled process to ensure that errors are dealt
with completely and correctly.
There are three common error handling techniques:
 correct immediately,
 create an error file, and
 reject the entire batch
 6. Generalized data input systems

-This technique includes centralized procedures to manage the data input for all of the
organization’s transaction processing systems.

A GDIS has five major components:

1. Generalized validation module
2. Validated data file
3. Error file
4. Error reports
5. Transaction log

Processing Controls

After passing through the data input stage, transactions enter the processing stage of
the system.

Processing controls are divided into three categories:

1. run-to-run controls
-use batch figures to monitor the batch as it moves from one programmed procedure
(run) to another.

2. Operator intervention controls

-When operator manually enters controls into the system
-Preference is to derive by logic or provided by system

3. Audit Trail Controls

-Every transaction becomes traceable from input to output
-Each processing step is documented
-Preservation is the key to auditability of AIS
-Transaction logs
 Log of Automatic transactions
 Listing of Automatic transactions
 Unique transaction identifiers [s/n]
 Error Listing

Output Controls

-Ensure system output:

-Not misplaced
-Not misdirected
 -Not corrupted
-Privacy policy not violated
-Batch systems more susceptible to exposure, require greater controls

Output spooling – risks:

-Access the output file and change critical data values

-Access the file and change the number of copies to be printed
-Make a copy of the output file so illegal file output can be generated
-Destroy the output file before printing take place

Print Programs
Print Program controls
are designed to deal with two types of exposures presented
by this environment:
(1) the production of unauthorized copies of output and
(2) employee browsing of sensitive data.

Bursting
The primary control against these exposures is supervision. For very sensitive reports,
bursting may be performed by the end user.

Waste
It is important to dispose of aborted reports and the carbon copies from multipart paper
removed during bursting properly.

Data control
The data control group is responsible for verifying the accuracy of computer output
before it is distributed to the user.

Report Distribution
The primary risks associated with report distribution include reports being lost, stolen,
or misdirected in transit to the user. A number of control measures can minimize these
exposures. Maintaining adequate access control over this file becomes highly important.

End user controls

Once in the hands of the user, output reports should be re-examined for any errors that
may have evaded the data control clerk’s review. Users are in a far better position to identify
subtle errors in reports that are not disclosed by an imbalance in control totals. Errors detected
by the user should be reported to the appropriate computer services management.

Controlling real-time systems output

 -Eliminates intermediaries
-Threats:
Interception
Disruption
Destruction
Corruption
-Exposures:
Equipment failure
Subversive acts

TESTING COMPUTER APPLICATION CONTROLS

 Two general approaches:
1. Black Box (around the computer) Approach
- Ignore internal logic of application
- Use functional characteristics
• Flowcharts
• Interview key personnel
 Advantage:
- Do not have to remove application from operations to test it
2. White Box (through the computer) Approach
- It relies on an in-depth understanding of the internal logic of the application
being tested. The white-box approach includes several techniques for
testing application logic directly.
 Some of the more common types of tests of controls include the following:
1. Authenticity tests - which ensure that the application prevents authorized users
from unauthorized access to data. Authenticity controls include user IDs, passwords,
valid vendor codes, and authority tables.
2. Accuracy tests - which ensure that the system processes only data values that
conform to specified tolerances
3. Completeness tests - which identify missing data within a single record and entire
records missing from a batch. The types of tests performed are field tests, record
sequence tests, hash totals, and control totals.
4. Redundancy tests - which determine that an application processes each record only
once.
5. Access tests - which ensure that the application prevents authorized users from
unauthorized access to data. Access controls include passwords, authority tables,
user defined procedures, data encryption, and inference controls.
6. Audit trail tests - which ensure that the application creates an adequate audit trail.
7. Rounding error tests - which verify the correctness of rounding procedures.
Rounding errors occur in accounting information when the level of precision used in
the calculation is greater than that used in the reporting.
COMPUTER–AIDED AUDIT TOOLS AND TECHNIQUES FOR TESTING CONTROLS

CATT has five approaches:

1. Test Data Method
2. Base Case System Evaluation (BCSE)
3. Tracing
4. The Integrated Test Facility (ITF)
5. Parallel Simulation

Test Data Method

The test data method is used to establish application integrity by processing specially prepared
sets of input data through production applications that are under review. The results of each test are
compared to predetermined expectations to obtain an objective evaluation of application logic and
control effectiveness.

Base Case System Evaluation (BCSE)

When the set of test data in use is comprehensive, the technique is called the base case system
evaluation (BCSE). BCSE tests are conducted with a set of test transactions containing all possible
transaction types.

Tracing
Tracing performs an electronic walkthrough of the application’s internal logic.
 The tracing procedure involves three steps:
1. The application under review must undergo a special compilation to activate the
trace option.
2. Specific transactions or types of transactions are created as test data.
3. The test data transactions are traced through all processing stages of the
program, and a listing is produced of all programmed instructions that were
executed during the test.
 Advantages of Test Data Techniques:
1. They employ through the-computer testing, thus providing the auditor with
explicit evidence concerning application functions.
2. Test data runs can be employed with only minimal disruption to the
organization’s operations.
3. They require only minimal computer expertise on the part of auditors.
 Disadvantages of Test Data Techniques:
1. Auditors must rely on computer services personnel to obtain a copy of the
application for test purposes
2. Provide a static picture of application integrity at a single point in time
3. Relatively high cost of implementation, which results in audit inefficiency
The Integrated Test Facility (ITF)
The integrated test facility (ITF) approach is an automated technique that enables the auditor to
test an application’s logic and controls during its normal operation. The ITF is one or more audit modules
designed into the application during the systems development process.

 Advantages of ITF:
1. ITF supports ongoing monitoring of controls as required by SAS 78.
2. Applications with ITF can be economically tested without disrupting the
user’s operations and without the intervention of computer services
personnel
 Disadvantage of ITF:
1. The potential for corrupting the data files of the organization with test
data
 This problem is remedied in two ways:
1. Adjusting entries may be processed to remove the effects of ITF from
general ledger account balances.
2. Data files can be scanned by special software that remove the ITF
transactions.

Parallel Simulation
Parallel simulation requires the auditor to write a program that simulates key features or
processes of the application under review. The simulated application is then used to reprocess
transactions that were previously processed by the production application.

 There are five steps in performing parallel simulation testing:

1.) The auditor must first gain a thorough understanding of the application under review.
2.) The auditor must then identify those processes and controls in the application that are critical to
the audit.
3.) The auditor creates the simulation using a 4GL or generalized audit software (GAS).
4.) The auditor runs the simulation program using selected production transactions and master files
to produce a set of results.
5.) Finally, the auditor evaluates and reconciles the test results with the production results
produced in a previous run.

Differences in output results occur for two reasons:

1.) the inherent crudeness of the simulation program
2.) real deficiencies in the application’s processes or controls, which are made apparent by the
simulation program.
Reference: Information Technology Auditing , 3 rd edition , James Hall