CHAPTER 5 - Quality of AISs and their output rests directly on
SYSTEMS DEVELOPMENT & PROGRAM CHANGE
ACTIVITIES
SYSTEM DEVELOPMENT PROCESS
- constitutes a set of activities by which
organizations obtain IT-based information
systems.
PARTICIPANTS IN SYSTEMS DEVELOPMENT
SYSTEMS PROFESSIONALS
- gather and analyze facts about problems with
current system and formulate a solution.
- The product of their efforts is a new
- Accountants are responsible for conceptual system,
information system.
- are systems analysts, systems engineers,
database designers, and programmers.
END USERS
- are those for whom the system is built.
- During systems development, systems
professionals work with the primary users to
obtain an understanding of the users’ problems
and a clear statement of their needs.
- These include managers, operations personnel
from various functional areas including
accountants, and internal auditors.
STAKEHOLDERS
- are individuals who have an interest in the
system but are not formal end users.
- These include the internal steering committee
that oversees systems development, internal
auditors including IT auditors, and external
auditors acting as consultants or serving in the
role of internal auditor.
- to ensure that user’s needs are met, that
adequate internal controls are designed into
the information systems under construction,
and that the systems development process
itself is properly implemented and controlled.
Why Are Accountants Involved with SDLC?
- Creation/purchase of IS consumes significant
resources and has financial resource
implications.
SDLC activities that produce them.
How are Accountants Involved with SDLC?
- As Users and must provide clear picture of their
problems/needs.
- Accountants are members of development
team.
- Accountants are involved in systems
development as auditors to ensure system is
designed with appropriate computer audit
techniques.
The Role of the Accountant
and systems professionals are responsible for
physical system. If important accounting
considerations are not conceptualized at this point,
they may be overlooked and expose organization to
potential financial loss. Auditability of a system
depends in part on its design characteristics.
Systems Strategy
- Help reduce risk of creating unneeded,
unwanted, inefficient, ineffective systems
Conceptual Design
- Control implications
- Auditability of system
Systems Selection
- Economic feasibility
INFORMATION SYSTEMS ACQUISITION
IN HOUSE DEVELOPMENT
- Many organizations require systems that are
highly tuned to their unique operations. Such
firms frequently design their own information
systems through in-house systems development
activities
- requires maintaining a full-time systems staff of
analysts and programmers who identify user
information needs and create custom systems.
COMMERCIAL SYSTEMS
- A popular option is to purchase commercial
systems from software vendors. Managements
| jg
 are thus confronted with many competing
packages, some with features in common and
others with unique features and attributes that
they must choose between.
TRENDS IN COMMERCIAL SOFTWARE
- Four factors have contributed to the growth of
the commercial software market:
1. LOW COST - the relatively low cost of
general commercial software as compared
to customized software
2. EMERGENCE OF SOFTWARE INSDUSTRY -
the emergence of industry-specific vendors
who target their software to the needs of
particular types of businesses
3. GROWING DEMAND OF BUSINESSES - a
growing demand from businesses that are
too small to afford in-house systems’
development staff
4. DOWNSIZING // DDP IT ENVIRONMENT -
the trend toward downsizing organizational
units and the move toward distributed data
processing has made the commercial
software option appealing to larger
organizations.
TYPES OF COMMERCIAL SYSTEMS
TURNKEY SYSTEMS
- are completely finished and tested systems that
are ready for implementation.
- are usually sold only as compiled program
modules, and users have limited ability to
customize them to their specific needs
- These are often general-purpose systems or
systems customized to a specific industry
GENERAL ACCOUNTING SYSTEMS
- designed to serve a wide variety of user needs
- By mass-producing a standard system, the
vendor is able to reduce the unit cost of these
systems to a fraction of in-house development
costs.
SPECIAL PURPOSE SYSTEMS
- Some software vendors create special-purpose
systems that target selected segments of the
economy.
OFFICE AUTOMATION SYSTEMS
- computer systems that improve the
productivity of office workers.
BACKBONE SYTEMS
- provide a basic system structure on which to
build. Backbone systems come with all the
primary processing modules programmed.
VENDOR SUPPORTED SYSTEMS
- custom systems that the vendor develops and
maintains for the client organization
ADVANTAGES OF COMMERCIAL SOFTWARE
IMPLEMENTATION TIME
- commercial software can be implemented
almost immediately once a need is recognized.
The user does not have to wait.
COST
- Since the cost of commercial software is spread
across many users, however, the unit cost is
reduced to a fraction of the cost of an in-house
developed system.
RELIABILITY
- Most reputable commercial software packages
are thoroughly tested before their release to
the consumer market. Although no system is
certified as being free from errors, commercial
software is less likely to have errors than an
equivalent in-house system.
DISADVANTAGES OF COMMERCIAL SOFTWARE
INDEPENDENCE
- Purchasing a vendor-supported system makes
the firm dependent on the vendor for
maintenance.
- This is perhaps the greatest disadvantage of
vendor-supported systems
THE NEED FOR CUSTOMIZED SYSTEM (becomes
dependent on vendor)
| jg
 - Sometimes, the user’s needs are unique and
complex, and commercially available software is
either too general or too inflexible.
MAINTENANCE
- Business information systems undergo frequent
changes. If the user’s needs change, it may be
difficult or even impossible to modify
commercial software.
SYSTEMS DEVELOPMENT LIFE CYCLE
- The length of the systems development life
cycle will vary among business organizations
depending on their industry, competition
pressure, the degree to which technological
innovation impacts the company, and the scale
of the project.
PHASE I: SYSTEMS PLANNING
- Objective of Systems Planning is to link
individual projects or applications to the
strategic objectives of the firm.
- Most firms that take systems planning seriously
establish a systems steering committee to
provide guidance and review the status of
system projects.
Systems planning occurs at two levels: strategic
systems planning and project planning.
STRATEGIC SYSTEMS PLANNING
- allocation, processing, budgeting, informed
decisions by systems specialists
Why Perform Strategic Systems Planning?
1. A plan that changes constantly is better than no
plan at all
2. Strategic planning reduces the crisis component
in systems development
3. Strategic systems planning provides
authorization control for the SDLC
4. Cost management
PROJECT PLANNING
- allocate resources to individual applications
within the framework of the strategic plan.
- This involves identifying areas of user needs,
preparing proposals, evaluating each proposal’s
feasibility and contribution to the business plan,
prioritizing individual projects, and scheduling
the work to be done.
- The basic purpose of project planning is to
allocate scarce resources to specific projects.
The product of this phase consists of two formal
documents: the project proposal and the project
schedule
PROJECT PROPOSAL
- provides management with a basis for deciding
whether to proceed with the project.
1. it summarizes the findings of the study
conducted to this point into a general
recommendation for a new or modified
system
2. the proposal outlines the linkage between
the objectives of the proposed system and
the business objectives of the firm,
especially those outlined in the IT strategic
plan
PROJECT SCHEDULE
- represents management’s commitment to the
project.
- a budget of the time and costs for all the phases
of the SDLC
➢ AUDITOR’S ROLE: Adequate Systems Planning
Takes Place
PHASE II: SYSTEMS ANALYSIS
| jg
SYSTEMS ANALYSIS – two-step process
1. THE SURVEY STEP
2. ANALYSIS OF THE USER’S NEEDS
THE SURVEY STEP
DISADVANTAGES OF SURVEYING THE CURRENT
SYSTEM
- Current Physical Tar Pit
• used to describe the tendency on the
part of the analyst to be “sucked in”
and then “bogged down” by the task of
surveying the current dinosaur system.
- Thinking inside the box
• By studying and modeling the old
system, the analyst may develop a
constrained notion about how the new
system should function.
• The result is an improved current
system rather than a radically new
approach
ADVANTAGES OF SURVEYING THE CURRENT
SYSTEM
- Identifying what aspects of the old system
should be kept
- Forcing systems analysts to fully understand the
system
- Isolating the root of problem symptoms
GATHETING FACTS
- The facts gathered by the analyst are pieces of
data that describe key features, situations, and
relationships of the system.
System facts fall into the following broad classes
GATHERING FACTS IN THE SURVEY OF THE CURRENT
SYSTEM
- DATA SOURCES
• These include external entities, such as
customers or vendors, as well as
internal sources from other
departments.
- DATA STORES
• Data stores are the files, databases,
accounts, and source documents used
in the system.
- DATA PROCESSES
• Processing tasks are manual or
computer operations that represent a
decision or an action triggered by
information.
- DATA FLOWS
• Data flows are represented by the
movement of documents and reports
between data sources, data stores,
processing tasks, and users.
• Data flows can also be represented in
Unified Modeling Language (UML)
diagrams
- CONTROLS
• These include both accounting and
operational controls and may be
manual procedures or computer
controls
- TRANSACTION VOLUMES
• Understanding the characteristics of a
systems transaction volume and its rate
of growth are important elements in
assessing capacity requirements for the
new system
- ERROR RATES
• As a system reaches capacity, error
rates increase to an intolerable level.
• Although no system is perfect, the
analyst must determine the acceptable
error tolerances for the new system.
- RESOURCE COSTS
• The resources used by the current
system include the costs of labor,
computer time, materials (such as
invoices), and direct overhead.
- BOTTLENECK AND REDUNDANT OPERATIONS
• The analyst should note points where
data flows come together to form a
bottleneck.
• By identifying these problem areas
during the survey phase, the analyst can
avoid making the same mistakes in the
design of the new system
FACT-GATHERING TECHNIQUES
Systems analysts employ several techniques to gather
the previously cited facts
| jg
 - OBSERVATION
• Observation involves passively watching
the physical procedures of the system.
- TASK PARTICIPATION
SYSTEMS DEVELOPMENT ACTIVITIES
• the analyst takes an active role in
performing the user’s work. This allows
the analyst to experience first-hand the
problems involved in the operation of
the current system.
- PERSONAL INTERVIEWS
• Interviewing is a method of extracting
facts about the current system and user
perceptions about the requirements for
the new system.
PHASE III - CONCEPTUAL SYSTEM DESIGN
OPEN-ENDED QUESTIONS - allow users to
elaborate on the problem as they see it and
offer suggestions and recommendations
QUESTIONNARES - used to ask more
specific, detailed questions and to restrict
the user’s responses.
- REVIEWING KEY DOCUMENTS
STRUCTURED DESIGN APPROACH (uses DFD)
• The organization’s documents are
another source of facts about the
system being surveyed.
THE ANALYSIS STEP
- Systems analysis is an intellectual process that
is commingled with fact gathering
SYSTEMS ANALYSIS REPORT
- The event that marks the conclusion of the
systems analysis phase is the preparation of a
formal systems analysis report.
- This report presents to management or the
steering committee the survey findings, the
problems identified with the current system,
the user’s needs, and the requirements of the
new system
- The systems analysis report should establish in
THE OBJECT-ORIENTED APPROACH (uses standard
clear terms the data sources, users, data files,
components) ITERATIVE APPROACH
general processes, data flows, controls, and
transaction volume capacity.
- The systems analysis report does not specify the
detailed design of the proposed system.
AUDITORS ROLE
- An accountant is a stakeholder; therefore it
should be involved in the analysis of needs of
the proposed system for advanced features
- Authorizing development of new systems
- Addressing and documenting user needs
- Technical design phases
- Participation of internal auditors
- Testing program modules before implementing
• Testing individual modules by a team of
users, internal audit staff, and systems
professionals
- To produce several alternative conceptual
systems that satisfy the system requirements
identified during systems analysis
This section describes two approaches to
conceptual systems design: the structured
approach and the object-oriented approach.
- disciplined way of designing systems from the
top down
- It consists of starting with the “big picture” of
the proposed system that is gradually
decomposed into more and more detail until it
is fully understood.
- the business process under design is usually
documented by data flow and structure
diagrams.
- The designs should identify all the inputs,
outputs, processes, and special features
necessary to distinguish one alternative from
another.
- Identify/ compare all the distinguishing
features, input, process, output from one
design to another
- to build information systems from reusable
standard components or objects
- The benefits of this approach include reduced
time and cost for development, maintenance,
| jg
 and testing and improved user support and
flexibility in the development process
➢ Auditor’s Role as a Stakeholder, at least has an
interest in the conceptual design, because of
the impact on audit
PHASE IV – SYSTEM EVALUATION & SELECTION
- procedure for selecting the one system from
the set of alternative conceptual designs that
will go to the detailed design phase.
- optimization process that seeks to identify the
best system.
- to structure this decision-making process and
thereby reduce both uncertainty and the risk of
making a poor decision
The evaluation and selection process involves two
steps: Perform a detailed feasibility study and
perform a cost–benefit analysis
PERFORM A DETAILED FEASIBILITY STUDY
- Technical Feasibility – whether the system can
be developed in existing technology or if new
technology is needed
- Economic Feasibility – availability of funds to
complete the project
- Legal Feasibility – identifies any conflicts
between conceptual concept & discharge
liabilities
- Operational Feasibility - shows the degree of
compatibility between the firm’s existing
procedures and personnel skills and the
operational requirements of the new system.
- Schedule Feasibility- firm’s ability to implement
w/in acceptable time
ACRONYM: TELOS
PERFORM A COST-BENEFIT ANALYSIS
1. Identify Cost - one-time costs vs recurring
costs
- One-time costs include the initial investment to
develop and implement the system
- Recurring costs include operating and
maintenance costs that recur over the life of
the system
2. Identify Benefits - These may be both
tangible and intangible
- Tangible benefits fall into two categories: those
that increase revenue and those that reduce
costs.
- Intangible benefits are often of overriding
importance in information system decisions,
they cannot be easily measured and quantified.
3. Compare Costs and Benefits
- Net Present Value Method, the present value of
the costs is deducted from the present value of
the benefits over the life of the system. When
comparing competing projects, the optimal
choice is the project with the greatest net
present value.
- Payback Period is a variation of break-even
analysis. Payback speed is often a decisive
factor. The length of the payback period often
takes precedence over other considerations
represented by intangible benefits.
- Break-even Point is reached when total costs
equal total benefits
AUDITOR’S ROLE IN EVALUATION AND SELECTION
- The internal auditor is concerned that the
economic feasibility of the proposed system is
measured as accurately as possible.
1. Escapable Costs
2. Interest Rates
3. One time & recurring Costs
4. Realistic Useful Lives
5. Intangible Values
PHASE V – DETAILED DESIGN
- to produce a detailed description of the
proposed system that both satisfies the system
requirements identified during systems analysis
and is in accordance with the conceptual design
PERFORM A SYSTEM DESIGN WALKTHROUGH
- to ensure that the design is free from
conceptual errors that could become
programmed into the final system.
- Many firms have formal, structured
walkthroughs conducted by a quality assurance
group
| jg
REVIEW SYSTEM DOCUMENTS - Serves as a frame of reference for auditor in
designing and evaluating future audit tests
- Inputs & source documents
(i.e. the system has not undergone any
- Outputs, reports & operational documents
change)
- Normalized data for database tables
- Update data dictionary PHASE VII- SYSTEM IMPLEMENTATION (GO LIVE)
- Processing logic or Flow Charts
- database structures are created and populated
PHASE VI – APPLICATION PROGRAMMING & TESTING with data, equipment is purchased and
installed, employees are trained, the system is
PROGRAM THE APPLICATION SOFTWTARE
documented, and the new system is installed
1. PROCEDURAL LANGUAGES are often called - complete engagement of programmers, users,
third-generation languages including designers, database administrators, users and
COBOL, FORTRAN, C, PL1. accountants
- requires the programmer to specify the - Activities in this entail extensive costs
precise order in which the program logic is
TESTING THE ENTIRE SYSTEM
executed
2. EVENT-DRIVEN LANGUAGES DOCUMENTING THE SYSTEM
- Microsoft’s Visual Basic is an example of an
- provides the auditor with essential information
event-driven language. It has a screen-
about how the system works.
painting feature that greatly facilitates the
1. DESIGNER AND PROGRAMMER
creation of sophisticated graphical user
DOCUMENTATION
interfaces (GUI)
- to debug errors and perform maintenance on
- designed to respond to external actions or
the system.
“events” that are initiated by the user.
2. OPERATOR DOCUMENTATION
3. OBJECT-ORIENTED LANGUAGES
- Computer operators use documentation called
- Central to achieving the benefits of the
a run manual, which describes how to run the
object-oriented approach, discussed
system.
previously, is developing software using an
3. USER DOCUMENTATION
object-oriented programming (OOP)
- Users need documentation describing how to
language such as C++ or Java.
use the system
PROGRAMMING THE SYSTEM - The nature of user documentation will depend
on the user’s degree of sophistication with
- follow modular approach regardless of the
computers and technology. Thus, before
language used
designing user documentation, the systems
1. Programming efficiency
professional must assess and classify the user’s
2. Maintenance Efficiency
skill level.
3. Control
• NOVICES - have little or no experience
TEST THE APPLICATION SOFTWARE with computers and are embarrassed to
ask questions
- All program modules must be thoroughly tested
• OCCASSIONAL USERS - once understood
before they are implemented.
the system but have forgotten some
1. TESTING METHODOLOGY
essential commands and procedures
- Identifying programming & logical errors
• FREQUENT LIGHT USERS - are familiar
2. TESTING OFFLINE BEFORE DEPLOYING ONLINE
with limited aspects of the system.
- Never Ever Underestimate (Testing
Although functional, they tend not to
Environment vs Actual Environment)
explore beneath the surface and lack
3. TEST DATA
depth of knowledge
- Should be retained for reuse

| jg
 • FREQUEMT POWER USERS - understand
the existing system and will readily
adapt to new systems. They are
intolerant of detailed instructions that
waste their time.
4. USER HANDBOOK
- user documentation often takes the form of a
user handbook, as well as online
documentation.
5. TUTORIALS
- can be used to train the novice or the
occasional user. The success of this technique is
based on the tutorial’s degree of realism
6. HELP FEATURES
- The help feature analyzes the context of what
the user is doing at the time of the error and
provides help with that specific function (or
command).
CONVERTING DATABASES
- transfer of data from its current form to the
format or medium required by the new system.
PRECAUTIONS
1. Validation
2. Reconciliation
3. Backup
CONVERTING TO THE NEW SYSTEM
- The process of converting from the old system
to the new one is called the cutover.
A system cutover will usually follow one of three
approaches: cold turkey, phased, or parallel operation
COLD TURKEY
- also called the “Big Bang” approach
- When implementing simple systems, this is
often the easiest and least costly approach.
With more complex systems, it is the riskiest.
- most risky; all at once
PHASED CUTOVER
- begins operating the new system in modules
- by modules; gradual
PARALLEL OPERATION CUTOVER
- involves running the old system and the new
system simultaneously for a period of time
- The advantage of parallel cutover is the
reduction in risk. By running two systems, the
user can reconcile outputs to identify errors and
debug errors before running the new system
solo.
- simultaneous; reconciliation
THE AUDITOR’S ROLE IN SYSTEM IMPLEMENTATION
1. Provide Technical Expertise
2. Specify Documentation Standards
3. Verify Control Adequacy & Compliance w/ SOX
POST IMPLEMENTATION REVIEW
4. Systems Design Adequacy
5. Accuracy of Time, Cost and Benefit Estimates
PHASE VIII- SYSTEMS MAINTENANCE
- formal process by which application programs
undergo changes to accommodate changes in
user needs.
- It could be extensive
- Maintenance represents significant outlay
compared to initial development costs.
SYSTEM MAINTENANCE INTERNAL CONTROLS
- Last, longest and most costly phase of SDLC
• Up to 80-90% of entire cost of a system
AUDIT PROCEDURES:
- All maintenance actions should require
• Technical specifications
• Testing
• Documentation updates
• Formal authorizations for changes
CONTROLLING NEW SYSTEMS DEVELOPMENT
- Systems Authorization Activities
- User Specifications Activities
- Technical Design Activities
- Internal Audit Participation
- User Test and Acceptance Procedure
SYSTEMS DEVELOPMENT
Auditing objectives: ensure that
| jg
 - SDLC activities applied consistently and in
accordance with management’s policies
- system as originally implemented was free from
material errors and fraud
- system was judged to be necessary and justified
at various checkpoints throughout the SDLC
- system documentation is sufficiently accurate
and complete to facilitate audit and
maintenance activities
SYSTEMS DEVELOPMENT INTERNAL CONTROLS
AUDIT PROCEDURE:
- New systems must be authorized.
- Feasibility studies conducted.
- User needs analyzed and addressed.
- Cost-benefit analysis completed.
- Proper documentation completed.
- All program modules thoroughly tested before
implementation.
- Checklist of problems was kept.
- Systems documentation complies with
organizational requirements
CONTROLLING SYSTEMS MAINTENANCE
- Maintenance Authorization, Testing &
Documentation
- Source Program Library Controls – where
application program source code are stored
- SPL – No Controls
- Controlled SPLMS Environment
1. Storing programs on the SPL
2. Retrieving programs for maintenance
purposes
3. Deleting obsolete programs from lib
4. Documenting program changes to provide
audit trail of the changes
• Password Control
• Separate Test Libraries
• Audit Trail & Management Reports
• Program Version Numbers
• Controlling Access to Maintenance
Commands
RECONCILE
- Auditor compares the current program version
number in the documentation file vs current
version number of the production program
- Auditor reconciles program maintenance
requests, program listings and program changes
to verify the need for and accuracy of program
PROGRAM CHANGES– SYSTEM MAINTENANCE
Auditing objectives: detect any unauthorized program
maintenance and determine that
- maintenance procedures protect applications
from unauthorized changes
• Reconcile program version numbers
• Confirm maintenance authorization
- applications are free from material errors
• Reconcile the source code
• Review test results
• Retest the program
- program libraries (where programs are stored)
are protected from unauthorized access
• Review programmer authority table
• Test authority table
CHAPTER 6
TRANSACTION PROCESSING & FINANCIAL
REPORTING SYSTEMS OVERVIEW
FINANCIAL TRANSACTION
- an economic event that affects the assets and
equities of the firm, is reflected in its accounts,
and is measured in monetary terms
- similar types of transactions are grouped
together into three transaction cycles:
1. the expenditure cycle,
2. the conversion cycle, and
3. the revenue cycle.
RELATIONSHIP BETWEEN TRANSACTION CYCLE
| jg
 - a product document of one system that
becomes a source document for another
system

JOURNALS

- a record of chronological entry

• SPECIAL JOURNALS - specific classes of
transactions that occur in high
frequency
• GENERAL JOURNAL - nonrecurring,
infrequent, and dissimilar transactions

LEDGER

- a book of financial accounts

• GENERAL LEDGER - shows activity for
EXPENDITURE CYCLE
each account listed on the chart of
- time lag between the two due to credit accounts
relations with suppliers: • SUBSIDIARY LEDGER - shows activity by
1. physical component (acquisition of goods) detail for each account type
2. financial component (cash disbursements
Flow of Economic Events into the General Ledger
to the supplier)

CONVERSION CYCLE

1. the production system (planning, scheduling,

and control of the physical product through the
manufacturing process)
2. the cost accounting system (monitors the flow
of cost information related to production)

REVENUE CYCLE

- : time lag between the two due to credit ACCOUNTING RECORDS IN A COMPUTER-BASED
relations with customers : SYSTEM
1. physical component (sales order
processing)
2. financial component (cash receipts)

MANUAL SYSTEM ACCOUNTING RECORDS

SOURCE DOCUMENTS

- used to capture and formalize transaction data

needed for transaction processing

PRODUCT DOCUMENTS

- the result of transaction processing

TURNAROUND DOCUMENTS

| jg

EXPLANATION OF STEPS IN FIGURE:
1. Compare the AR balance in the balance sheet
with the master file AR control account balance.
2. Reconcile the AR control figure with the AR
subsidiary account total.
3. Select a sample of update entries made to
accounts in the AR subsidiary ledger and trace
these to transactions in the sales journal
(archive file).
4. From these journal entries, identify source
documents that can be pulled from their files
and verified. If necessary, confirm these source
documents by contacting the customers.
AUDIT TRAIL
- Accountants should be able to trace in both
directions.
- Sampling and confirmation are two common
techniques.
Example of Tracing an Audit Trail
COMPUTER-BASED SYSTEMS
- The audit trail is less observable in computer-
based systems than traditional manual systems.
- The data entry and computer programs are the
physical trail.
- The data are stored in magnetic files
COMPUTER FILES
➢ Master File - generally contains account data
(e.g., general ledger and subsidiary file)
➢ Transaction File - a temporary file containing
transactions since the last update
➢ Reference File - contains relatively constant
information used in processing (e.g., tax tables,
customer addresses)
➢ Archive File - contains past transactions for
reference purposes
DOCUMENTATION TECHNIQUES
- Documentation in a CB environment is
necessary for many reasons.
Five common documentation techniques:
1. Entity Relationship Diagram
2. Data Flow Diagrams
3. Document Flowcharts
4. System Flowcharts
5. Program Flowcharts
ENTITY RELATIONSHIP DIAGRAM (ERD)
- is a documentation technique to represent the
relationship between entities in a system.
| jg
 - The REA model version of ERD is widely used in - illustrate the relationship among processes and
AIS. REA uses 3 types of entities: the documents that flow between them
• resources (cash, raw materials) - contain more details than data flow diagrams
• events (release of raw materials into - clearly depict the separation of functions in a
the production process) system
• agents (inventory control clerk, vendor,
SYMBOL SET FOR DOCUMENT FLOWCHARTS
production worker

CARDINALITIES

- represents the numerical mapping between

entities:
• one-to-one
• one-to-many
• many-to-many

DATA FLOW DIAGRAMS

- use symbols to represent the processes, data

sources, data flows, and entities in a system
- represent the logical elements of the system
- do not represent the physical system

SYSTEM FLOWCHARTS
DOCUMENTS FLOWCHART

| jg
 - are used to represent the relationship between - illustrate the logic used in programs
the key elements--input sources, programs, and
PROGRAM FLOWCHART SYMBOLS
output products--of computer systems
- depict the type of media being used (paper,
magnetic tape, magnetic disks, and terminals)
- in practice, not much difference between
document and system flowcharts

SYSTEMS FLOWCHART SYMBOLS

MODERN SYSTEMS VERSUS LEGACY SYSTEMS

MODERN SYSTEMS CHARACTERISTICS

- client-server based and process transactions in

real time
- use relational database tables
- have high degree of process integration and
data sharing
- some are mainframe based and use batch
processing

Some firms employ legacy systems for certain aspects of

their data processing.

- Accountants need to understand legacy

systems.

LEGACY SYSTEMS CHARACTERISTICS

- mainframe-based applications
- batch oriented
- early legacy systems use flat files for data
storage
- later legacy systems use hierarchical and
network databases
- data storage systems promote a single-user
environment that discourages information
integration

UPDATING MASTER FILES: PRIMARY KEYS (PK) AND

SECONDARY KEYS (SK)

PROGRAM FLOWCHASRTS

| jg
DATABASE BACKUP PROCEDURES
- Destructive updates leave no backup.
- To preserve adequate records, backup
procedures must be implemented, as shown
below
• The master file being updated is copied
as a backup.
• A recovery program uses the backup to
create a pre-update version of the
master file.
COMPUTER-BASED ACCOUNTING SYSTEMS
Two broad classes of systems:
1. batch systems
2. real-time systems
BATCH PROCESSING
- A batch is a group of similar transactions that
are accumulated over time and then processed
together.
- The transactions must be independent of one
another during the time period over which the
transactions are accumulated in order for batch
processing to be appropriate.
- A time lag exists between the event and the
processing.
BATCH PROCESSING/SEQUENTIAL FILE
STEPS IN BATCH PROCESSING/SEQUENTIAL FILE
1. Keystroke - source documents are transcribed
by clerks to magnetic tape for processing later
2. Edit Run - identifies clerical errors in the batch
and places them into an error file
3. Sort Run - places the transaction file in the
same order as the master file using a primary
key
4. Update Run - changes the value of appropriate
fields in the master file to reflect the
transaction
5. Backup Procedure - the original master
continues to exist and a new master file is
created
ADVANTAGES OF BATCH PROCESSINH
- Organizations can increase efficiency by
grouping large numbers of transactions into
batches rather than processing each event
separately.
- Batch processing provides control over the
transaction process via control figures.
REAL-TIME SYSTEMS
- process transactions individually at the
moment the economic event occurs
- have no time lag between the economic event
and the processing
- generally require greater resources than batch
processing since they require dedicated
processing capacity; however, these cost
differentials are decreasing
| jg
 - oftentimes have longer systems development - validate collected transactions/ maintain
time accounting controls (e.g., equal debits and
credits).
CHARACTERISTIC DIFFERENCES BETWEEN BATCH AND
- process transaction data.
REAL-TIME PROCESSING
• post transactions to proper accounts
• update general ledger accounts and
transaction files
• record adjustments to accounts
- store transaction data.
- generate timely financial reports

Why Do So Many AIS Use Batch Processing?

- AIS processing is characterized by high-volume,

independent transactions, such are recording
cash receipts checks received in the mail.
- The processing of such high-volume checks can
be done during an off-peak computer time.
- This is one reason why batch processing maybe
done using real-time data collection.

DATA CODING SCHEMES RELATIONSHIP OF GLF TO OTHER INFORMATION

SUBSYSTEM
• SEQUENTIAL CODES
• BLOCK CODES
• GROUP CODES
• ALPHABETIC CODES
• MNEMONIC CODES

GENERAL LEDGER SYSTEMS

- General Ledger Systems acts as a hub

connected to other systems.
- Becomes sources of input for other systems
- Flows as feedback into the GLS.
- GLS provide data to MRS & FRS

IS FUNCTIONS OF GLS

General ledger should:

- collect transaction data promptly and

accurately. GLS DATABASE
- classify/code data and accounts.

| jg
➢ General ledger master file 6. Make Adjusting Entries.
- principal FRS file based on chart of accounts 7. Journalize & post adjusting entries.
➢ General ledger history file 8. Prepare the trial balance.
- used for comparative financial support 9. Prepare the FS.
➢ Journal voucher file 10. Journalize & post-closing entries.
- all journal vouchers of the current period 11. Prepare the post-closing trial balance.
➢ Journal voucher history file
- journal vouchers of past periods for audit trail GLS REPORTS
➢ Responsibility center file GENERAL LEDGER ANALYSIS
- financial data by responsibility centers for MRS - listing of transactions
➢ Budget master file - allocation of expenses to cost centers
- budget data by responsibility centers for MRS - comparison of account balances from prior
periods
JOURNAL VOUCHER LAYOUT FOR A GENERAL LEDGER
- trial balances
MASTER FILE
FINANCIAL STATEMENTS
- balance sheet
- income statement
- statement of cash flows

MANAGERIAL REPORTS
- analysis of sales
- analysis of cash
- analysis of receivables

CHART OF ACCOUNTS
- coded listing of accounts

POTENTIAL RISKS IN THE GL/FRS

1. A defective audit trail.
FINANCIAL REPORTING PROCESS 2. Unauthorized access to the general ledger.
3. GL accounts that are out of balance with
subsidiary accounts.
4. Incorrect GL account balances of unauthorized
or incorrect journal vouchers.

Other Potential Risks in the GL/FRS

- Improperly prepared journal entries
- Unposted journal entries
- Debits not equal to credits
- Subsidiary not equal to G/L control accounts
- Inappropriate access to the G/L
- Poor audit trail
- Lost or damaged data
- Account balances that are wrong because of
1. Capture Transactions. unauthorized or incorrect journal vouchers
2. Record the Special Journal.
GL/FRS CONTROL ISSUES
3. Post to Subsidiary Ledger.
- journal vouchers must be authorized by a
4. Post to General Ledger.
manager at the source dept
5. Prepare the unadjusted trial balance.
SEGREGATION OF DUTIES - G/L clerks should not:

| jg
 - have recordkeeping responsibility for special
journals or subsidiary ledgers
- prepare journal vouchers
- have custody of physical assets
ACCESS CONTROLS
- Unauthorized access to G/L can result in errors,
fraud, and misrepresentations in financial
statements.
- Sarbanes-Oxley requires controls that limit
database access to only authorized individuals.
ACCOUTNING RECORD
- trace source documents from inception to
financial statements and vice versa
INDEPENDENT VERIFICATION
- G/L dept. reconciles journal vouchers and
summaries
Two important operational reports used:
• journal voucher listing – details of each
journal voucher posted to the G/L
• general ledger change report – the
effects of journal voucher postings on
G/L accounts
GL/FRS USING DATABASE TECHNOLOGY
ADVANTAGES:
- immediate update and reconciliation
- timely, if not real-time, information
Removes separation of transaction authorization
and processing
- Detailed journal voucher listing and account
activity reports are a compensating control
Centralized Access to Accounting Records
- Passwords and authorization tables as controls
HTML: HYPER TEXT MARKUP LANGUAGE
- Format used to produce Web pages
• defines the page layout, fonts, and
graphic elements
• used to lay out information for display
in an appealing manner like one sees in
magazines and newspapers
• using both text and graphics (including
pictures) appeals to users
- Hypertext links to other documents on the Web
• Even more pertinent is HTML’s support
for hypertext links in text and graphics
that enable the reader to ‘jump’ to
another document located anywhere
on the World Wide Web.
XML: EXTENSIBLE MARKUP LANGUAGE
- XML is a meta-language for describing markup
languages.
- Extensible means that any markup language can
be created using XML.
• includes the creation of markup
languages capable of storing data in
relational form, where tags (formatting
commands) are mapped to data values
• can be used to model the data structure
of an organization’s internal database
COMPARISON OF HTML AND XML DOCUMENTS
XBRL: eXtensible Business Reporting Language
- XBRL is an XML-based language for
standardizing methods for preparing,
publishing, and exchanging financial
information, e.g., financial statements.
- XBRL taxonomies are classification schemes.
Advantages:
| jg
 • Business offer expanded financial
information to all interested parties
virtually instantaneously.
• Companies that use XBRL database
technology can further speed the
process of reporting.
• Consumers import XBRL documents
into internal databases and analysis
tools to greatly facilitate their decision-
making processes.
IMPLICATIONS FOR ACCOUNTING
- AUDIT IMPLICATION FOR XBRL
• taxonomy creation: incorrect taxonomy
results in invalid mapping that may
cause material misrepresentation of
financial data
• validation of instance documents:
ensure that appropriate taxonomy and
tags have been applied
• audit scope and timeframe: impact on
auditor responsibility as a consequence
of real-time distribution of financial
statements
CHAPTER 7
COMPUTER ASSISTED AUDIT TOOLS & TECHNIQUES
INTRODUCTION TO INPUT CONTROLS
➢ Be familiar with the classes of transaction of
input controls used by accounting applications.
➢ Understand the objectives and techniques used
to implement processing, including run to run,
operator invention, and audit trail controls.
➢ Understand the methods used to establish
effective output controls both batch and real
time systems.
➢ Know the difference between black and white
approach.
➢ Be familiar with key features of the five CAATTs
discussed in this chapter.
CLASSES OF INPUT CONTROLS
1. Source document controls
2. Data coding controls
3. Batch controls
4. Validation controls
5. Input error correction
6. Generalized data input systems
SOURCE DOCUMENT CONTROLS
in systems that use physical source documents
in initiate transactions, careful control must be
exercised over these instruments. Source document
fraud can be used to remove assets from the
organization. To control against this type of exposure,
implement control procedures over source documents
to account for each document.
➢ Controls in systems using physical source
documents
➢ Source document fraud
➢ To control for exposure, control procedures are
needed over source documents to account for
each one
▪ Use pre-numbered source documents
▪ Use source documents in sequence
▪ Periodically audit source documents
Use Pre-numbered Source Documents
- source documents should come pre-numbered
from the printer with a unique sequential
number on each document. This provides an
audit trail for tracing transactions through
accounting records.
Use Source Documents in Sequence
- source documents should be distributed to the
users and used in sequence, requiring the
adequate physical security be maintained over
the source document inventory at the user site.
Access to source documents should be limited
to authorized persons.
Periodically Audit Source Documents
- the auditor should compare the numbers of
documents used to date with those remaining
in inventory plus those voided due to errors
| jg
DATA CODING CONTROLS
coding controls are checks on the integrity of
data codes used in processing. Three types of errors
can corrupt data codes and cause processing errors:
Transcription errors, Single Transposition errors, and
Multiple Transposition errors
• Addition errors occur when an extra
digit or character is added to the code.
• Truncation errors occur when a digit or
character is removed from the end of a
code.
• Substitution errors are the replacement
of one digit in a code with another.
Two types of transposition errors:
- Single transposition errors occur when two
adjacent digits are reversed. adjacent digits
transposed (reversed)
- Multiple transposition errors occur when
nonadjacent digits are transposed. non-
adjacent digits are transposed
Check digit is a control digit (or digits) that is added to
the data code when it is originally assigned.
Batch controls
are an effective method of managing high
volumes of transaction data through a system. It
reconciles output produced by the system with the
input originally entered into the system.
➢ Method for handling high volumes of
transaction data – esp. paper-fed IS
Controlling the batch continues throughout all phases
of the system. It assures that:
1. All records in the batch are processed.
2. No records are processed more than once.
3. An audit trail of transactions in created from
input through processing to the output.
4. It requires the grouping of similar types of input
transactions together in batches and then
controlling the batches throughout data
processing.
Requires controlling batch throughout
- Two documents are used to accomplish this
task: a batch transmittal sheet and a batch
control log.
Batch Transmittal Sheet
- The transmittal sheet becomes the batch
control record and is used to assess the
integrity of the batch during processing. The
batch transmittal sheet captures relevant
information such as:
➢ Unique batch number (serial #)
➢ A batch dates
➢ A transaction codes
➢ Number of records in the batch
➢ Total dollar value of a financial field
➢ Sum of a unique non-financial field
• Hash total - a simple control technique
that uses non-financial data to keep
track of the records in a batch. Any key
field may be used to calculate a hash
total.
• E.g., customer number
Batch Control Log
VALIDATION CONTROLS
intended to detect errors in transaction data before
the data are processed. Most effective when they are
performed as close to the source of the transaction as
possible. Some validation procedures require making
references against the current master file.
| jg
 ➢ Intended to detect errors in data before
processing
➢ Most effective if performed close to the source
of the transaction
➢ Some require referencing a master file
There are three levels of input validation controls:
1. Field Interrogation – involves programmed
procedures that examine the characteristics of
the data in the field.
• Missing Data Checks – used to examine
the contents of a field for the presence
of blank spaces.
• Numeric-Alphabetic Data Checks –
determine whether the correct form of
data is in a field.
• Zero-Value Checks – used to verify that
certain fields are filled with zeros.
• Limit Checks – determine if the value in
the field exceeds an authorized limit.
• Range Checks – assign upper and lower
limits to acceptable data values.
• Validity Checks – compare actual values
in a field against known acceptable
values.
• Check Digit – identify keystroke errors
in key fields by testing the internal
validity of the code
2. Record Interrogation – procedures validate the
entire record by examining the interrelationship
of its field values.
• Reasonable Checks – determine if a
value in one field, which has already
passed a limit check and a range check,
is reasonable when considered along
with other data fields in the record.
• Sign checks - tests to see if the sign of a
field is correct for the type of record
being processed.
• Sequence checks - determine if a record
is out of order.
3. File Interrogation – purpose is to ensure that
the correct file is being processed by the system
• Internal label checks (tape) - verify that
the file processed is the one the
program is actually calling for. The
system matches the file name and serial
number in the header label with the
program’s file requirements.
• Version checks - – verify that the
version of the file processed is correct.
The version check compares the version
number of the files being processed
with the program’s requirements.
• Expiration date check - prevents a file
from being deleted before it expires.
INPUT ERROR CORRECTION
when errors are detected in a batch, they must
be corrected, and the records resubmitted for
reprocessing. This must be a controlled process to
ensure that errors are dealt with completely and
correctly.
➢ Batch – correct and resubmit
➢ Controls to make sure errors dealt with
completely and accurately
Three common error handling techniques are:
1. Immediate Correction – when a keystroke error
is detected or an illogical relationship, the
system should halt the data entry procedure
until the user corrects the error.
2. Create an Error File – individual errors should
be flagged to prevent them from being
processed. At the end of the validation
procedure, the records flagged as errors are
removed from the batch and placed in a
temporary error holding file until the errors can
be investigated. At each validation point, the
system automatically adjusts the batch control
totals to reflect the removal of the error records
from the batch. Errors detected during
processing require careful handling. These
records may already be partially processed.
There are two methods for dealing with this
complexity.
• reverse the effects of the partially
processed transactions and resubmit
the corrected records to the data input
stage.
• reinsert corrected records to the
processing stage in which the error was
detected
| jg
 3. Reject the Entire Batch – some forms of errors
are associated with the entire batch and are not
clearly attributable to individual records. The
most effective solution in this case is to cease
processing and return the entire batch to data
control to evaluate, correct, and resubmit.
Batch errors are one reason for keeping the size
of the batch to a manageable number
PROCESSING CONTROLS
GENERALIZED DATA INPUT SYSTEMS (GDIS)
to achieve a high degree of control and
standardization over input validation procedures, some
organizations employ a generalized data input system
CLASSES OF PROCESSING CONTROLS
(GDIS) which includes centralized procedures to manage
the data input for all of the organization’s transaction
processing systems. A GDIS eliminates the need to
recreate redundant routines for each new application. A
GDIS eliminates the need to recreate redundant
routines for each new application.
➢ Centralized procedures to manage data input
for all transaction processing systems
➢ Eliminates need to create redundant routines
for each new application
Has 3 advantages:
- Improves control by having one common
system perform all data validation
- Ensures each AIS application applies a
consistent standard of data validation
- Improves systems development efficiency
Major Components of GDIS
1. Generalized Validation Module - (GVM)
performs standard validation routines that are
common to many different applications. These
routines are customized to an individual
application’s needs through parameters that
specify the program’s specific requirements
2. Validated Data File - the input data that are
validated by the GVM are stored on a validated
data file. This is a temporary holding file
through which validated transactions flow to
their respective applications.
3. Error File - error records detected during
validation are stored in this file, corrected, and
then resubmitted to the GVM
4. Error Reports - standardized error reports are
distributed to users to facilitate error correction
5. Transaction Log - is a permanent record of all
validated transactions. It is an important
element in the audit trail. However, only
successful transactions (those completely
processed) should be entered in the journal
- programmed procedures designed to ensure
that an application’s logic is functioning
properly.
1. Run-to-Run Controls - use batch figures to
monitor the batch as it moves from one
programmed procedure (run) to another. It
ensures that each run in the system processes
the batch correctly and completely. Specific
run-to-run control types are listed below
• Recalculate Control Totals - after each
major operation in the process and
after each run, $ amount fields, hash
totals, and record counts are
accumulated and compared to the
corresponding values stored in the
control record
• Check Transaction Codes - the
transaction code of each record in the
batch is compared to the transaction
code contained in the control record,
ensuring only the correct type of
transaction is being processed.
• Sequence Checks - the order of the
transaction records in the batch is
critical to correct and complete
processing. The sequence check control
compares the sequence of each record
in the batch with the previous record to
ensure that proper sorting took place
2. Operator Intervention Controls - increases the
potential for human error. Systems that limit
operator intervention through operator
intervention controls are thus less prone to
processing errors. Parameter values and
program start points should, to the extent
possible, be derived logically or provided to the
system through look-up tables
| jg
 ➢ When operator manually enters controls into
the system
➢ Preference is to derive by logic or provided by
system
3. Audit Trail Controls - the preservation of an
audit trail is an important objective of process
control.
➢ Every transaction must be traceable through
each stage of processing.
➢ Each major operation applied to a transaction
should be thoroughly documented.
➢ The following are examples of techniques used
to preserve audit trails:
• Transaction Logs – every transaction
successfully processed by the system
should be recorded on a transaction
log. There are two reasons for creating
a transaction log: It is a permanent
record of transactions. Not all of the
records in the validated transaction file
may be successfully processed. Some
of these records fail tests in the
subsequent processing stages. A
transaction log should contain only
successful transactions.
• Log of Automatic Transactions – all
internally generated transactions must
be placed in a transaction log.
• Listing of Automatic Transactions – the
responsible end user should receive a
detailed list of all internally generated
transactions.
• Unique Transaction Identifiers – each
transaction processed by the system
must be uniquely identified with a
transaction number.
• Error Listing – a listing of all error
records should go to the appropriate
user to support error correction and
resubmission.
OUTPUT CONTROLS
➢ ensure that system output is not lost,
misdirected, or corrupted and that privacy is
not violated. The type of processing method in
use influences the choice of controls employed
to protect system output.
➢ Batch systems are more susceptible to exposure
and require a greater degree of control those
real-time systems.
Controlling Batch Systems Output - Batch systems
usually produce output in the form of hard copy, which
typically requires the involvement of intermediaries.
The output is removed from the printer by the
computer operator, separated into sheets and
separated from other reports, reviewed for correctness
by the data control clerk, and then sent through
interoffice mail to the end user. Each stage is a point of
potential exposure where the output could be
reviewed, stolen, copied, or misdirected. When
processing or printing goes wrong and produces output
that is unacceptable to the end user, the corrupted or
partially damaged reports are often discarded in waste
cans. Computer criminals have successfully used such
waste to achieve their illicit objectives. Techniques for
controlling each phase in the output process are
employed on a cost-benefit basis that is determined by
the sensitivity of the data in the reports.
• Many steps from printer to end user
• Data control clerk check point
• Unacceptable printing should be
shredded
• Cost/benefit basis for controls
• Sensitivity of data drives levels of
controls
OUTPUT SPOOLING
- applications are often designed to direct their
output to a magnetic disk file rather than to the
printer directly. The creation of an output file
as an intermediate step in the printed process
presents an added exposure. A computer
criminal may use this opportunity to perform
any of the following unauthorized acts:
RISKS
• Access the output file and change
critical data values
• Access the file and change the number
of copies to be printed
• Make a copy of the output file so illegal
output can be generated
• Destroy the output file before printing
take place
| jg
PRINT Programs
- the print run program produces hard copy
output from the output file. Print programs are
often complex systems that require operator
intervention.
Types:
1. Pausing the print program to load
output paper
2. Entering parameters needed by the
print run
3. Restarting the print run at a
prescribed checkpoint after a
printer malfunction
4. Removing printer output from the
printer for review and distribution
Print Program Controls
- designed to deal with two types of exposures:
• production of unauthorized copies of
output and employee browsing of
sensitive data. - One way to control this
is to employ output document controls
similar to source document controls.
The number of copies specified by the
output file can be reconciled with the
actual number of output documents
used.
• Unauthorized browsing of sensitive
data by employees - To prevent
operators from viewing sensitive
output, special multi-part paper can be
used, with the top copy colored black to
prevent the print from being read.
Bursting - when output reports are removed from the
printer, they go the bursting stage to have their pages
separated and collated. The clerk may make an
unauthorized copy of the report, remove a page from
the report, or read sensitive information. The primary
control for this is supervision.
Waste – computer output waste represents a potential
exposure. Dispose properly of aborted reports and the
carbon copies from the multipart paper removed during
bursting.
Data Control – the data control group is responsible for
verifying the accuracy of compute output before it is
distributed to the user. The clerk will review the batch
control figures for balance, examine the report body for
garbled, illegible, and missing data, and record the
receipt of the report in data control’s batch control log.
Report Distribution – the primary risks associated with
report distribution include reports being lost, stolen, or
misdirected in transit to the user. To minimize these
risks: name and address of the user should be printed
on the report, an address file of authorized users should
be consulted to identify each recipient of the report,
and maintaining adequate access control over the files.
- The reports may be placed in a secure mailbox
to which only the user has the key.
- The user may be required to appear in person
at the distribution center and sign for the
report.
- A security officer or special courier may deliver
the report to the user.
End User Controls – output reports should be re-
examined for any errors that may have evaded the data
control clerk’s review. Errors detected by the user
should be reported to the appropriate computer
services management. A report should be stored in a
secure location until its retention period has expired.
Factors influencing the length of time a hard copy
report is retained include:
- Statutory requirements specified by
government agencies.
- The number of copies of the report in existence.
- The existence of magnetic or optical images of
reports that can act as permanent backup.
- Reports should be destroyed in a manner
consistent with the sensitivity of their contents
Controlling real-time systems output
• Eliminates intermediaries
• Threats:
- Interception
- Disruption
- Destruction
- Corruption
- Exposures:
- Equipment failure
- Subversive acts
| jg
TESTING VOMPUTER APPLICATION CONTROLS
- control-testing techniques provide information
about the accuracy and completeness of an
application’s processes. These test follow two
general approaches:
• Black Box: Testing around the computer
• White Box: Testing through the
computer
Black Box (Around the Computer) Technique – auditors
performing black box testing do not rely on a detailed
knowledge of the application’s internal logic.
➢ They seek to understand the functional
characteristics of the application by analyzing
flowcharts and interviewing knowledgeable
personnel in the client’s organization. The
auditor tests the application by reconciling
production input transactions processed by the
application with output results.
➢ The advantage of the black box approach is that
• the application need not be removed
from service and tested directly. This
approach is feasible for testing
applications that are relatively simple.
➢ Complex applications require a more focused
testing approach to provide the auditor with
evidence of application integrity.
➢ Appropriately applied:
• Simple applications
• Relative low level of risk
White Box (Through the Computer) Technique – relies
on an in-depth understanding of the internal logic of the
application being tested. Several techniques for testing
application logic directly are included.
➢ Uses small volume of carefully crafted, custom
test transactions to verify specific aspects of
logic and controls
➢ Allows auditors to conduct precise test with
known outcomes, which can be compared
objectively to actual results
White Box Test Methods
Redundancy Tests – determine that an application
processes each record only once.
Access Tests – ensure that the application prevents
authorized users from unauthorized access to data.
Audit Trail Tests – ensure that the application creates
an adequate audit trail. Produces complete transaction
listings, and generates error files and reports for all
exceptions.
Rounding Error Tests – verify the correctness of
rounding procedures. Failure to properly account for
this rounding difference can result in an imbalance
between the total (control) interest amount and the
sum of the individual interest calculations for each
account. Rounding problems are particularly
susceptible to so-called salami funds, that tend to affect
a large number of victims, but the harm to each is
immaterial. Each victim assumes one of the small
pieces and is unaware of being defrauded. Operating
system audit trails and audit software can detect
excessive file activity. In the case of the salami fraud,
there would be 1000’s of entries into the computer
criminal’s personal account that may be detected in this
way.
➢ Monitor activities – excessive ones are serious
exceptions; e.g, rounding and thousands of
entries into a single account for $1 or 1¢
COMPUTER AIDED AUDIT TOOLS AND TECHNIQUES
(CAATTs)
1. Test data method
2. Base case system evaluation
3. Tracing
4. Integrated Test Facility [ITF]
5. Parallel simulation
6. GAS
TEST DATA
used to establish application integrity by processing
specially prepared sets of input data through
production applications that are under review. The
results of each test are compared to predetermined
expectations to obtain an objective evaluation of
application logic and control effectiveness.
Creating Test Data – when creating test data,
auditors must prepare a complete set of both valid
and invalid transactions. If test data are
incomplete, auditors might fail to examine critical
branches of application logic and error-checking
| jg
 routines. Test transactions should test every
possible input error, logical process, and
irregularity.
➢ Uses a “test deck”
• Valid data
• Purposefully selected invalid data
• Every possible:
Input error
Logical processes
Irregularity
➢ Procedures:
• Predetermined results and expectations
• Run test deck
• Compare
BASE CASE SYSTEM EVALUATION (BCSE)
there are several variants of the test data
technique. When the set of test data in use is
comprehensive, the technique is called a base case
system evaluation (BCSE). BCSE tests are conducted
with a set of tests transactions containing all possible
transaction types. These results are the base case.
When subsequent changes to the application occur
during maintenance, their effects are evaluated by
comparing current results with base case results.
➢ Variant of Test Data method
➢ Comprehensive test data
➢ Repetitive testing throughout SDLC
➢ When application is modified, subsequent test
(new) results can be compared with previous
results (base)
TRACING
performs an electronic walk-through of the
application’s internal logic. Implementing tracing
requires a detailed understanding of the application’s
internal logic.
➢ Test data technique that takes step-by-step
walk through application
1. The trace option must be enabled for
the application
2. Specific data or types of transactions
are created as test data
3. Test data is “traced” through all
processing steps of the application, and
a listing is produced of all lines of code
as executed (variables, results, etc.)
➢ Excellent means of debugging a faulty program
TEST DATA: ADVANTAGES AND DISADVANTAGES
ADVANTAGES
1. They employ white box approach, thus
providing explicit evidence
2. Can be employed with minimal disruption to
operations
3. They require minimal computer expertise on
the part of the auditors
DISADVANTAGES
1. Auditors must rely on IS personnel to obtain a
copy of the application for testing
2. Audit evidence is not entirely independent
3. Provides static picture of application integrity
4. Relatively high cost to implement, auditing
inefficiency
INTEGRATED TEST FACILITY
➢ ITF is an automated technique that allows
auditors to test logic and controls during normal
operations
➢ Set up a dummy entity within the application
system
1. Set up a dummy entity within the
application system
2. System able to discriminate between
ITF audit module transactions and
routine transactions
3. Auditor analyzes ITF results against
expected results
PARALLEL SIMULATION
➢ Auditor writes or obtains a copy of the program
that simulates key features or processes to be
reviewed / tested
1. Auditor gains a thorough understanding of
the application under review
2. Auditor identifies those processes and
controls critical to the application
| jg
 3. Auditor creates the simulation using DATA STRUCTURES
program or Generalized Audit Software
Flat file structures
(GAS)
4. Auditor runs the simulated program using ▪ Sequential structure [Figure 8-1]
selected data and files ➢ All records in contiguous storage spaces in
5. Auditor evaluates results and reconciles specified sequence (key field)
differences ➢ Sequential files are simple & easy to process
➢ Application reads from beginning in sequence
➢ If only small portion of file being processed,
CHAPTER 8 inefficient method
➢ Does not permit accessing a record directly
CAATTs for Data Extraction and Analysis
➢ Efficient: 4, 5 – sometimes 3
DATA STRUCTURES ➢ Inefficient: 1, 2, 6, 7 – usually 3
▪ Indexed structure
➢ Organization
• In addition to data file, separate index
➢ Access method file
• Contains physical address in data file of
Access: Non-Index Methods each indexed record
Index File Hashing Pointers Data Files ▪ Indexed random file [Figure 8-2]
• Records are created without regard to
Access: Index Methods Data Organization physical proximity to other related
Sequentialisam Random Sequential Random records
• Physical organization of index file itself
may be sequential or random
• Random indexes are easier to maintain,
sequential more difficult
• Advantage over sequential: rapid
searches
• Other advantages: processing individual
records, efficient usage of disk storage
• Efficient: 1, 2, 3, 7
• Inefficient: 4
FILE PROCESSING OPERATION
Random file are not efficient structures for
1. Retrieve a record by key operations that involve processing a large
2. Insert a record portion of a file (e.g., payroll master
3. Update a record
4. Read a file ▪ Indexed Sequential Methods (ISAM)
5. Find next record • Large files, routine batch processing
6. Scan a file • Moderate degree of individual record
7. Delete a record processing
• Used for files across cylinders
INDIVIDUAL RECORDS • Uses number of indexes, with
summarized content
• Access time for single record is slower
than Indexed Sequential or Indexed
Random
• Disadvantage: does not perform record
insertions efficiently – requires physical

| jg
 relocation of all records beyond that
point – SOS
• Has 3 physical components: indexes,
prime data storage area, overflow area
[Figure 8-4]
• Might have to search index, prime data
area, and overflow area – slowing down
access time
• Integrating overflow records into prime
data area, then reconstructing indexes
reorganizes ISAM files
• Very Efficient: 4, 5, 6
• Moderately Efficient: 1, 3
• Inefficient: 2, 7
EVOLUTION OF ORGANIZATION / ACCESS METHODS
DBMS etc. LEGACY SYSTEMS SEQUENTIAL ISAM
RANDOM
POINTER STRUCTURE
EFFICIENT INEFFICIENT
ACCESS SINGLE RECORDS
ACCESS ENTIRE FILES
HASHING STRUCTURE
➢ Employs algorithm to convert primary key into
physical record storage address [Figure 8-5]
• No separate index necessary
• Advantage: access speed
• Disadvantage
❑ Inefficient use of storage
❑ Different keys may create same
address
• Efficient: 1, 2, 3, 6
• Inefficient: 4, 5, 7
➢ Employs algorithm to convert primary key into
physical record storage address [Figure 8-5]
• No separate index necessary
• Advantage: access speed
• Disadvantage
▪ Inefficient use of storage
▪ Different keys may create same
address
• Efficient: 1, 2, 3, 6
• Inefficient: 4, 5, 7
➢ Stores the address (pointer) of related record in
a field with each data record [Figure 8-6]
• Records stored randomly
• Pointers provide connections b/w
records
• Pointers may also provide links of
records b/w files [Figure 8-7]
• Types of pointers [Figure 8-8]:
❑ Physical address – actual disk
storage location
• Advantage: Access speed
• Disadvantage: if related record
moves, pointer must be
changed & w/o logical
reference, a pointer could be
lost causing referenced record
to be lost
❑ Relative address – relative position
in the file (135th)
• Must be manipulated to
convert to physical
address
| jg
 ❑ Logical address – primary key of
related record
• Key value is converted by
hashing to physical
address
• Efficient: 1, 2, 3, 6
• Inefficient: 4, 5, 7
DATABASE STRUCTURES
➢ Hierarchical & network structures [Figure 8-9]
▪ Uses explicit linkages b/w records to
establish relationship
▪ Figure 8-9 is M:N example
➢ Relational structure
▪ Uses implicit linkages b/w records to
establish relationship:
foreign keys / primary keys
The major difference between the these two
approaches is the degree of process integration and
data sharing that can be achieved. Two-dimensional
flat files exist as independent data structures that are
not linked logically or physically to other files. Database
models were designed to support flat-file systems
already in place, while allowing the organization to
move to new levels of data integration.
Record #3 of the INVOICE file has a “foreign key” for the
related CUSTOMER record (i.e., for this transaction, to
whom the merchandise was sold), which is the Primary
Key in the CUSTOMER file. That same record (#3) has a
foreign key for the INVENTORY record (i.e., for this
same transaction, the item sold) on that INVOICE to that
CUSTOMER. Thus the foreign keys help to build a
composite picture of the transaction or event.
See Figure 8-10 for another example.
The indexed sequential file structure uses an index in
conjunction with a sequential file organization, which
allows both direct access to individual records and
batch processing of the entire file. Multiple indexes can
be used to create a cross-reference called an inverted
list that allows even more flexible access to data [Figure
8-11].
NOTE: In this example, it is assumed only 1 item of
INVENTORY is sold on an INVOICE. Obviously, there are
other scenarios, which would be represented differently
than the one chosen here.
▪ User views
• Data a particular user needs to achieve
his/her assigned tasks
• A single view, or view without user
input, leads to problems in meeting the
diverse needs of the enterprise
• Trend today: capture data in sufficient
detail and diversity to sustain multiple
user views
• User views MUST be consolidated into a
single “logical view” or schema
| jg
 • Data in the logical view MUST be ▪ Creating physical tables
normalized
▪ Query function
▪ Creating views
▪
• Designing output reports, documents,
and input screens needed by users or
groups
• Physical documents help designer
understand relationships among the
data

• 3 user views: Table 8-2, Figure 8-

12, Table 8-3

• Then apply normalization principles to

the conceptual user views to design the
database tables

▪ Importance of data normalization

• Critical to success of DBMS

• Effective design in grouping data
• Several levels: 1NF, 2NF, 3NF, etc.
• Un-normalized data suffers from:
• Insertion anomalies
• Deletion anomalies
• Update anomalies
• One or more of these anomalies will
exist in tables < 3NF

▪ Normalization process

• Un-normalized data [Table 8-4]

• Eliminates the 3 anomalies if:

• All non-key attributes are

dependent on the primary key

• There are no partial

dependencies (on part of the
primary key)

• There are no transitive

dependencies; non-key attributes
are not dependent on other non-
key attributes

• “Split” tables are linked via embedded

“foreign keys”
• Normalized database tables examples:
Figures 8-13, 8-14

| jg