Computer Aided Audit Techniques

CHAPTER

1 COMPUTER AIDED
AUDIT TECHNIQUES

LEARNING OBJECTIVES
In this chapter, we will learn:
 The controls and auditing in the computerized environment.
 CAATs and their types.
 Auditing software.
 Data extraction and analysis.

1.1 CONTROLS AND AUDITING IN COMPUTERIZED ENVIRONMENT : AN INTRODUCTION

An accounting system, whether it be manual or computer-based, is subject to mismanagement,
error, fraud, and general abuse.
The most direct way to combat these potential problems is to implement and maintain a strong
system of internal controls for preventing and for detecting errors and irregularities.
The underlying reasons strongly call for controls and auditing in a computerized setup.
 Absence of input documents - Data may be entered directly into the computer system without
supporting documents. In some on-line transaction systems written evidence of data entry
authorization (for example, approval for order entry) may be replaced by other procedures,
such as authorization controls contained in computer programs (for example, credit limit
approval).
 Lack of visible transaction trail - Certain data may be maintained on computer files only. In a
manual environment, it is normally possible to follow a transaction through the system by
examining source documents, books of account and reports. In a computerized environment,
however, the transaction trail may be partly in machine -readable form, or it may exist only
for a limited period of time.
 Lack of visible output - Certain transactions or results of processing may not be printed. In
manual environments and in some online environments, it is normally possible to visually
examine the results of processing. In other online environments, the results of the processing
may not be printed, or only summary data may be printed. Thus, the lack of visible output
may result in the need to access data retained on computer files readable only by the
computer.
 Accessibility of data and computer programs - Data and computer programs can be accessed
and altered by persons through the use of on-line terminals. Therefore, in the absence of
appropriate controls, there is an increased potential for unauthorized access to, and
alteration of, data and computer programs by persons inside or outside the entity.

316 INFORMATION TECHNOLOGY TRAINING

© The Institute of Chartered Accountants of India

 Computer Aided Audit Techniques
General controls - General controls create a framework of overall control over the computer-
based activities of the firm. These controls are categorized into four – organizational &
management controls; application systems development and maintenance controls; access
controls; other controls.
Application controls are designed to provide reasonable assurance that the recording, processing
and reporting of data through computer systems are properly performed for specific applications.
These controls are broken into three groups.
 Input controls are designed to ensure that the integrity of the data entered into the computer
system is maintained. That is, they ensure that transactions are properly authorized, that
they are accurately recorded and that they are complete.
 Processing controls are designed to ensure that the appropriate computer processes have
been performed on the data inputted to the computer system.
 Output controls are designed so that the results ultimately reported as a consequence of the
inputting and processing of the data are valid accurate and complete.
1.2 FREQUENTLY USED CHECKS/VALIDATION OF INPUT
Following fequently used checks / validation of input may be done:
 Input data requires validation.
 Validation should happen as soon as being entered.
 Validation should check for the closeness of input to its source or standard.
 Errors are corrected immediately by users who have the best knowledge of the data that
ought to have been input.
 Incase the correction does not take place immediately then the errors are written to an
error file.
 The contents of the error file has to be brought to the attention of the users on a timely basis
through alerts or hard copy reports.
 Types of validation depends on the nature of data input method – keyed in through a
terminal; scanned data; data transfers from remote systems.
Validating data
There are four types of checks that can be run when data is input through a terminal – field
checks; record checks; batch checks; file checks.
1.2.1 Field checks
In this, the check is exclusive to a field. It does not depend or validate data inputs in other fields
(corresponding to a record).
(a) Types of field checks on input data :
The different field checks of input data are given as following :
 Missing data – Is there any missing data in the field? For example, an item code entry
inputs a series of characters followed by numbers, separated by a hyphen. Is an entry
accepted without the hyphen present in an item code?
 Blank data - Does a field accept blank input when data should always be present?
 Numeric/Alphanumeric – Does a field that ought to contain only numbers or only alphabets
accept alphanumeric characters?

INFORMATION TECHNOLOGY TRAINING 317

© The Institute of Chartered Accountants of India

 Computer Aided Audit Techniques
 Range – Does the input data fall within its allowable value range? If user’s age is required
for a field accepting negatives or values exceeding 120 is meaningless.
 Set membership (slab) - If a set of values is defined, as the ‘permissible set’ for a field, is the
input data one of these defined values? For example, while creating invoices sales discount
codes to be entered ought to fall into one of the six categories.
 Check digit – Is the check digit valid for the value in the field?
A check digit is a redundant digit that is added to a code to enable the accuracy of other digits
in the code. This check digit could be placed anywhere in the code (e.g. the beginning/end/in
the middle).
There are many approaches to calculate the check digits, however, the more common approach
is to assign different weights to the digits in a code.
In a bank account processing system, if the account number entered is 3139. The check digits
system may assign weights as 5-4-3-2-1 (1 for the units digit and so on). Multiply the digits by
the weights and sum the products as 3*5+1*4+3*3+9*2 = 46. Divide the result by a modulus
value (say 11), which gives a quotient of 4 and remainder of 2. Subtracting the remainder from
modulus we get 9 (11-2), which we assign as the check digit. Therefore we enter the account
number attached with the check digit as 31399. This can be attached to the account number
anywhere.
Now we can check for the validity of the value entered as 31399. Multiply the digits by their
weights and sum up. 3*5+1*4+3*3+9*2+9*1= 55. Divide by the modulus (i.e. 11) 55/11 gives 5
as quotient and 0 as remainder.
Thus a remainder of 0 shows a high probability of the account number being correct.
 Master reference – If a master file exists and can be referenced during data input, is there
a master file match for the input field? For example, if customer ids are entered into a
system that automatically generates and sends mailers to customers, the customer id entered
can be spontaneously checked for existence by searching and matching with data in customer
master.
 Size – If variable length fields are used and a set of permissible sizes also defined, does the
field delimiter show the field to be one of these valid zones?
 Format mask – Data entered into a field might have to conform to a particular format. For
example, even though the convention is to enter date in the “ddmmyy” format, the field
may be set to accept date input as ’yymmdd‘.
 Valid codes – The data code corresponding an entity should be valid - less prone to errors
during input.
Codes have 2 purposes – to uniquely identify an entity or identify an entity as a member of a
group or set. Codes will have to be properly designed based on one or more of these underlying
attributes as flexible (allow addition of new items or categories), meaningful (code value indicates
attributes of the entity), compact (not lengthy), convenient (encode/decode friendly) and
evolvable (adaptable to future changes) and auditors should ensure that the coding system
underline data integrity, effectiveness and efficiency objectives.
These codes when input are prone to errors as a result of one or more of these factors – length of
codes; alphanumeric nature; resemblance of certain characters as some others (B, I, O, S, Z are
confused with 8, 1, 0, 5, 2); mix up of uppercase and lowercase fonts.
There are certain types of codes as serial, block sequence, hierarchical and association, which
are described in the Table 1.2.1.

318 INFORMATION TECHNOLOGY TRAINING

© The Institute of Chartered Accountants of India

 Computer Aided Audit Techniques
Code type Description Example Merits Demerits
Serial Assigns Code 1. Ease of use 1. Bad support
consecutive Name 2. Concise during
numbers or 1. T. Sheetal deletions/
alphabets to 2. N. Aparna additions
entities. 3. G. Jane 2. Low
mnemonic
value
Block Assigns Code 1. Give 1. Could be
sequence blocks of Category mnemonic lengthier (not
numbers to 101 value if an concise)
the primary 102 attribute is 2. Difficulty in
attribute of 103 added to the remembering
the entity Sale value > code
10000
201
202
Sale value >
5000 <10000
301
302
303
Sale value
>2000 <5000
Hierarchical Attributes of Entity: Student 1. Meaningful 1. Lengthier
an entity Attribute: as they and a
listed in the Name describe combination
order of Code: S1 more of alphabets
importance; Attribute: attributes of and numbers
each of the Course an entity make recall
attributes Code: NET02 difficult
coded and Attribute: 2. Changes
combined Joining month deletions in
Code: JAN03 component
Hierarchical codes
code requires
S1JAN03NET extensive
02 rework
Association Same as Product: 1. High 1. Error prone if
hierarchical Toothpaste mnemonic not concise
codes Code: value
though the TPG100CP
order of the TP Toothpaste
component G Gel
codes do 100 Net weight
not reflect a CP Colgate
hierarchy of Palmolive
importance
Table 1.2.1 : Types of Codes
INFORMATION TECHNOLOGY TRAINING 319

© The Institute of Chartered Accountants of India

 Computer Aided Audit Techniques
Types of field checks on processed data
 Overflow – Overflow can occur when a computational field is not initialized to zero; errors
during calculation; unexpected high values are assigned.
 Range – If the value stored in a field after computation is within the specified range of
values (min and max)
 Sign test – This is a record level check though applied for a field. The sign value of a
numeric field depends on the value of another field for a record.
1.2.2 Record Checks
The validation checks applied to a field depend on the field’s logical interrelationships with
other fields in the record. For example, if the records pertain to employees in an organization
and there are 2 fields as level and salary slab, a check could be established on the salary slab
field in connivance with the level field.
Employee name Code Designation Salary slab
A. Seetha Raman ACC034 Accountant 2-2.5
J. Krishnan FIN02 Chief Financial Officer 9.2-9.5

Table 1.2.2 : Record Checks

The salary slab field can be checked through the designation field.
Types of record checks on input data :
Record checks of input data are of following types :
 Reasonableness – A field value may pass the individual field’s range check. However the
contents of another field might determine what is the reasonable value for the field. For
example, the IT slabs applicable depend on the salaries drawn by the employees.
 Valid sign – The contents of a field could determine the valid sign for a numeric field. For
example, if a transaction type field indicates a cash payment received, the amount field
should have a positive sign.
 Size – In case of variable length records, the size of a record depends on the sizes of the
constituent variable size fields and the sizes of fields that may optionally be omitted from
the record.
 Sequence check – It is possible that more than one physical record points to a logical
(actual) record. A record corresponding to an entity may be input through a series of screens
and input from every screen may be stored as a physical record. We need a methodology
(an input program) to check the sequence of the physical records it receives.
1.2.3 Group of records (batch) checks
Follwoing are the important points of batch checks :
 Batching is the process of grouping together transactions that bear some type of relationship
to one another.
 The validation checks determine whether the characteristics of a batch of records entered
are congruent with the stated characteristics of the batch.
 There are two types of batches – physical batches; logical batches.
 Physically contiguous transactions constitute physical batches. Eg., transactions entered
into a system on a day may constitute a physical batch.
 Logical batches are formed on a basis very different from physical batches. Eg., different
data entry operators at different points may enter transactions into a system. However
transactions entered by individual operators constitute a logical batch.

320 INFORMATION TECHNOLOGY TRAINING

© The Institute of Chartered Accountants of India

 Computer Aided Audit Techniques
1.2.4 Types of batch checks
The batch checks are of following types :
(a) Control Totals – Does the accumulation of a field across all records in a batch or the number
of records in the batch reconcile with the value specified for the batch?
Emp no. Group no. Group strength Name
E101 G1 5 G. Ashok
E102 G1 5 B. Raman
E103 G1 5 N. Ganesan
E105 G1 5 A. Malathy
E201 G2 2 Antony Vergese
E202 G2 2 Anita Sunder

Table 1.2.3 : Control Checks

Though the group strength is specified to be 5, the Emp. nos. in the group have only 4 values.
There are three types of control totals.
(i) Financial totals – Grand totals calculated for each field containing money amounts.
(ii) Hash totals – Grand totals calculated for any code on a document in the batch, e.g., the
source document serial numbers could be totaled.
Serial number Hash total Product code Product name
1 1 PC23456 Hamam, 120g
2 3 PC34567 ………………..
4 7 PC34698 ………………..
5 12 …………. ………………..
6 18 …………. ………………..
7 25 …………. ………………..
8 33 …………. ………………..
9 42 …………. ………………..
10 52 …………. ………………..

Table 1.2.4 : Hash Total

Hash total calculation –
Last record number = 10
Algorithm = n*n+1/2
10 * 11/2 = 55
Hash total stored = 52
Thus it is seen that a record has been missed out. Here it is
(55 – 52) = 3; thus it is the third record.

INFORMATION TECHNOLOGY TRAINING 321

© The Institute of Chartered Accountants of India

 Computer Aided Audit Techniques
(iii) Document/record counts – Grand totals for the number of documents or records in the
batch.
(b) Transaction type – All input records in a batch might have to be of a particular type.
(c) Batch serial number – All input records in a batch might have to include a serial number
that has been assigned to the batch.
(d) Sequence check – The input records in a batch might have to follow a particular order.
1.2.5 Table level tests
The need for table level tests are due to the following reasons :
 Data from client applications are stored in the organization’s database through auditable
events and functions.
 Controls are required for authorization, to ensure data integrity and to detect possible
breaches in security.
 Despite these audit features inherent in databases, there are certain shortcomings.
 The databases record events that take place through the application, thus leaving any
backdoor access to the database unrecorded.
 Native audit utilities are complex and thus they are mostly left disabled by the
administrators.
 If they have been enabled, they usually are set to track a small subset of all the events
required to meet corporate security policy due to a fear of creating performance problems
or disk storage overhead.
 Logged audit events are rarely reviewed because the data are cryptic and too
voluminous to be useful.
 There is no easy-to-use-reporting tool for filtering out irrelevant audit events or drilling
down for more detail about suspicious activities.
 Native database auditing utilities lack the ability to track both ‘before’ and ‘after’ value
detail on changes made to data within tables.
 There is no simple method of sending real time alerts to security console when break-
ins occur.
1.2.6 Data Integrity related controls
Following are the main reasons to implement the data integrity related controls :
 These are required to check if correct sequence of commands and update parameters are
passed from the application software to the database.
 To take appropriate actions when certain kind of exception conditions occur.
 Various update and report protocols are implemented in the application software to protect
the integrity of the database.
 Update protocols –

322 INFORMATION TECHNOLOGY TRAINING

© The Institute of Chartered Accountants of India


Sequence check on transaction
and master files
Ensure all records on files are processed
Process multiple transactions for a
single record in the correct order
Maintain suspense account
INFORMATION TECHNOLOGY TRAINING
© The Institute of Chartered Accountants of India
Computer Aided Audit Techniques
A transaction file is sorted prior to the update
of the master file.
The master file to be updated might also be
sorted in the particular order.
Thus a sequence check on the transaction or
master files by an update program is not
required.
However, the check is necessary as the files may
go out of sequence due to – due to a patch that
has been done incorrectly; an erroneous
program inserting records; a sort utility
malfunction; hardware/software error that
corrupts data.
Correct end-of-file protocols need to be
followed in an update program to ensure
records are not lost from master or transaction
file.
Errors occur when transaction file is closed
while reaching the end of master file and vice
versa, losing chunks of data.
Multiple transactions occur for a single master
record.
The order in which the transactions are
processed is important.
For example, a customer may place more than
one sale order and also give a change of address.
If the order of effecting changes to the customer
master – change of address first and then
placing the sale orders second; is changed then
the bill could be generated at a wrong address.
Whenever monetary transactions are processed
against master files, the update program should
maintain a suspense account to record such
transactions that does not have a matching
master file record.
Mismatches occur when transaction data is
inaccurate; a transaction for a master arrives
before creating the master.
Transactions could be lost if the suspense
account is not maintained.
323
 Computer Aided Audit Techniques
 Report protocols –

Print control data for internal tables
Print run to run control totals
Print suspense account entries
Internal tables are stored tables from which
certain values are extracted for further
processing and storing.
For example, a billing program has an internal
table of prices that is used to prepare invoices.
There could be multiple versions of these
internal tables, each taking effect after a certain
time period.
Therefore maintaining the integrity of these
tables is important. An error in the price list
internal table may result in the customers being
under billed. Recovering the money may not
be possible.
Printing of internal tables or calculating and
reporting of a control total, if the table is large
periodically should be a practice.
A processing subsystem may involve running
multiple programs that pass files between each
other.
Run to run control totals may signal a record
being erroneously dropped from a master file
that is updated.
A monetary transaction mismatch to be master
file is written to a suspense account and
ultimately cleared to their correct accounts.
A suspense account report reminds users that
they must take action to clear errors that are
pending at the suspense account.

Table 1.2.5 : Data Integrity Related Controls

1.2.7 Inter table tests
Following are the major points with respect to inter table tests :
 An organization’s data are stored through innumerous tables with intermingled
relationships.
 Their master and child relationship reference the tables from one another.
 It is common that the field assigned as the master may get lost on account of a invalid
transaction.
 This may make the entire child tables referenced by the master field in the main table
unavailable.

324 INFORMATION TECHNOLOGY TRAINING

© The Institute of Chartered Accountants of India

 Computer Aided Audit Techniques
 Thus there are inter table tests as master present and master missing that help us locate the
irregularities in the database.
1.2.8 System tests
The major points with respect to system tests are as follows :
 Test overall system to check if interfaces between various programs and subsystems work
correctly.
 Test whether the overall system meet the requirements specifications.
 Also determines if the performance of the modules degenerate under workloads.
 There are 2 strategies for system testing – big bang testing; incremental testing.
 Big bang – individual modules are coded and tested individually and then assembled, to be
tested as a whole. Very ideal for small to medium sized systems.
 Incremental – Smaller parts of the modules are assembled iteratively and tested until the
total system is in place.
Types of systems tests :
System tests are of the following types :
 Top down tests – Top-level modules are tested first. Lower modules that are not implemented
are simulated via stubs (dummy modules) just to ensure that the interfaces are working
fine.
 Bottom up tests – Bottom level modules are tested first. Higher-level modules are simulated
via drivers (dummy modules) just to ensure that the interfaces are working fine.
 Hybrid tests – A combination of top down and bottom up tests.
1.2.9 Reasonableness tests
There are countless transactions that are recorded on a daily basis in an organization. Recording
the transactions in an uncontrolled manner may even amount to loss of stored data. Therefore,
it is necessary to check the reasonableness of recording and executing a transaction. This proves
the concept of materiality in carrying out a transaction.

INFORMATION TECHNOLOGY TRAINING 325

© The Institute of Chartered Accountants of India

 Computer Aided Audit Techniques
1.3 AUDIT TECHNIQUES
The following table gives a detailed view of all the computer aided audit techniques available :
Technique Description Advantages Disadvantages

Audit Software Software used by the  Performs a wide  Requires a degree

auditor to read data variety of audit of skill to use
on client’s files, to tasks  Initial set up costs
provide information  Long term can be high
for the audit and/or economies  Adaptation often
to re-perform
 Reads actual needed from
procedures carried
records machine to
out by the client’s
 Capable of dealing machine
programs
with large volumes

Core Image Software used by the  Provides a high  Requires a high

Comparison auditor to compare degree of comfort degree of skill to set
the executable version concerning the up and to interpret
of a program with a executable version the results
secure master copy of the program  Where programs
 Particularly useful have been
where only recompiled the
executable versions comparison may be
are distributed invalidated as the
program records
everything as a
difference
 Printouts are hard
to interpret and the
actual changes
made are difficult
to establish
 Availability
restricted to certain
machine types

326 INFORMATION TECHNOLOGY TRAINING

© The Institute of Chartered Accountants of India

 Computer Aided Audit Techniques

Database Analyzers Software used by the  Provides detailed  Requires a high

auditor to examine information degree of skill to set
the rights associated concerning the up and to interpret
with terminals and operation of the the results
the ability of users to database  R e s t r i c t e d
access information on  Enhances the availability both as
a database a u d i t o r ’ s regards machine
understanding of types and database
the database management
management systems
system  Specific and limited
audit applicability

Embedded Code Software used by the  Performs a wide  There is a

auditor to examine variety of audit p r o c e s s i n g
transactions passing tasks overhead involved
through the system  Examines each because of the
by placing his own transaction as it extra programs
program in the suite passes through the  Definition of what
of programs used for system constitutes an
processing u n u s u a l
 O p e r a t e s
continuously transaction needs
to be very precise
 Capable of
identifying unusual  Precautions need to
transactions be taken over the
passing through output from the
the system programs to ensure
is security
 Precautions need to
be taken to ensure
that the program
cannot be
suppressed or
tampered with
 Requires some
degree of skill to use
and to interpret the
results

INFORMATION TECHNOLOGY TRAINING 327

© The Institute of Chartered Accountants of India

 Computer Aided Audit Techniques

Log Analyzers auditor to read and  Provides detailed  Requires a high

Software used by the analyze records of information on degree of skill to use
machine activity machine usage and to interpret the
 Long term results
economics  Limited availability
 Effective when as regards machine
testing integrity types
controls  High volume of
records restricts
extent of test

Mapping Software used by the  Identifies program  Very specific

auditor to list unused code which may objective
program instructions be there for  Requires a high
fraudulent reasons degree of skill to use
and to interpret the
results
 Adaptation needed
from machine to
machine

Modelling A variety of software,  Can be a very  A high volume of

usually associated powerful analytical data may need to be
with a micro- tool entered initially
computer, enabling  Can enable the  Results require
the auditor to carry auditor to examine c a r e f u l
out analytical reviews provisions on a interpretation
of client’s results, to number of different
alter conditions so as bases
to identify amounts
 Very flexible in use
for provisions or
claims, or to project  Can provide the
results and compare auditor with useful
actual results with information on
those expected trends and patterns

On-line Testing Techniques whereby  Very widely  Each use satisfies

the auditor arranges applicable only one particular
or manipulates data  Easy to use objective
either real or fictitious,  Care must be taken
 Can be targeted for
in order to see that a to ensure that
specific functions
specific program or ‘live’ data does not
carried out by
screen edit test is impact actual
programs
doing its work results

328 INFORMATION TECHNOLOGY TRAINING

© The Institute of Chartered Accountants of India

 Computer Aided Audit Techniques

Program Code An examination by  Gives a reasonable  The auditor must

Analysis the auditor of the degree of comfort understand the
source code of a about the program program language
particular program logic  The auditor needs
with a view to  The auditor can to check that the
following the logic of examine every source code
the program so as to function of the represents the
satisfy himself that it program code version in the
will perform source library, and
according to his that this version
understanding equates to the
executable version

Program Library Software used by the  Provides the  Requires a high

Analyzers auditor to examine auditor with useful degree of skill to use
dates of changes made information and to interpret the
to the executable concerning the results
library and the use of program library  Availability
utilities to amend  Identifies abnormal restricted to certain
programs changes to the machine types
library  Only relevant
 Useful when testing when testing
program security integrity controls

Snapshots Software used by the  Permits the auditor  Can be expensive to

auditor to take a to examine set up
‘picture’ of a file of processing at a
data or a transaction specific point in
passing through the time to carry out
system at a particular tests, or to confirm
point in time the way a
particular aspect of
the system operates

Source Comparison Software used by the  Compares source  Other procedures

auditor to compare code line by line are necessary to
the source version of and identifies all ensure that the
a program with a differences executable version
secure master copy  Useful when reflects the source
testing integrity code examined
controls or  Requires some
particularly degree of skill to use
important program and to interpret the
procedures results

INFORMATION TECHNOLOGY TRAINING 329

© The Institute of Chartered Accountants of India

 Computer Aided Audit Techniques

 Availability
restricted to certain
machine types

Test Data - ‘Live’, Fictitious data  Performs a wide  “Dead” test data
‘Dead’, Integrated applied against the variety of tasks requires additional
Test Facility or Base client’s programs  Gives considerable work for the
Case System either whilst they are comfort about the auditor to satisfy
Evaluation running or in an operation of himself the right
entirely separate programs programs were
o p e r a t i o n . used
 Can be precisely
targetted for  Care must be taken
The results of specific procedures to ensure that
processing the within programs ‘live’ data does not
fictitious data are impact actual
compared with the  Long term
results
expected results economies
 Technique can be
based on the auditor’s expensive to set up
understanding of the and cumbersome to
programs involved use
 Adequate for
detection of major
error but less likely
to detect deep-
seated fraud

Tracing Software used by the  Helps to analyze  There may be

auditor to identify
which instructions
were used in a
program and in what
order
the way in which a cheaper ways to
program operates achieve the same
objectives, although
not in the same
detail
 Requires a high degree
of skill to use and to
interpret the results
 Adaptation needed
from machine to
machine

Table 1.3.1 : Audit Techniques

1.4 REVIEW OF SYSTEMS
The objective of evaluating systems is to determine how well the systems meet their objectives.
The evaluation involves – identifying objectives of the system; select the measures to be used;
identify data sources; obtain ex ante values for measures; obtain ex post values for measures;
assess system impact by comparing ex ante and ex post. A general model of system effectiveness
is represented as :

330 INFORMATION TECHNOLOGY TRAINING

© The Institute of Chartered Accountants of India

 Computer Aided Audit Techniques

System Information
Quality Quality

Perceived Perceived ease

usefulness Self-efficacy of use

Use-frequency;
ways

Increased
satisfaction

Impact on task -
Quality of work

Organizational
Impact

Fig. 1.4.1 : General Model of System Effectiveness

INFORMATION TECHNOLOGY TRAINING 331

© The Institute of Chartered Accountants of India

 Computer Aided Audit Techniques
Some major points are as under :
 Auditors could evaluate system effectiveness by collecting evidence about individual and
organizational impacts that arise out of implementing and operating the system.
 If the measured impacts are not favourable they can find out the reasons behind the
ineffectiveness and remedial actions taken immediately.
 System quality is based on hardware and software factors like system response time,
reliability, ease of use and quality of documentation and help facilities.
 Aspects of information quality include authenticity, accuracy, completeness, timeliness and
relevance.
 Usefulness improves their job performance and ease of use gives the amount of effort they
will have to spend to employ the functionality provided in the system.
 Self-efficacy hints at the users’ perception about his or her ability to use a computer.
 Usage of these systems involves such evaluations as – the use being voluntary or involuntary
(not a good indicator); nature of use of the system (performing calculations or as decision
support systems); who uses the system (direct or through intermediaries)
 Task accomplishment impacts and quality of working life may be measured through factors
like absenteeism rate and sick rate of the users of the system.
 Organizational impact is best seen through economic effectiveness of the system.
1.5 TEST DATA
Test data – Sample of data that are created and used for the purpose of testing the application
system.
 It is costlier to test the entire program or system. Hence, auditors should concentrate on
those parts of the program where the payoffs will be the highest.
 Test data need to be designed before they are put to use.
 Two approaches of test data designs are – black box testing (specification based) and white
box testing (program based).
 Black box testing seeks to determine whether the application outputs what it is supposed
to. This is found through interaction with users, understanding the functional specifications.
 White box testing focuses on finding if there are any defective execution paths in a program.
This is done through selecting those parts of the program that deem to be material from the
viewpoint of an audit.
1.5.1 Test data techniques
Test data techniques are methods of conducting audit procedures by entering data (for example,
a sample of transactions) into the computer system, and comparing the results obtained with
predetermined results. Examples of this are outlined below :
 Test data can be developed by the auditor to test specific controls in computer programs,
such as on-line password and data access controls.
 Test data in the form of test transactions can be selected from previously processed
transactions or can be created by the auditor to test specific programmed procedures of the
computer program. These test transactions are generally processed separately from normal
processing.
 Test data in the form of test transactions can be used in a ‘live’ mode, where a dummy unit
(for example, a department or employee) is established to which test transactions are posted

332 INFORMATION TECHNOLOGY TRAINING

© The Institute of Chartered Accountants of India

 Computer Aided Audit Techniques
during normal processing. This technique, when integrated into normal processing so as to
operate on a continuous basis over a period of time, is known as an ‘integrated test facility’
(ITF). When using this technique, the auditor should ensure that the impact of test
transactions is subsequently eliminated from the computer files.
1.5.2 Test data checking
The test data that are utilized to execute transactions for the purpose of analyzing the system
need to qualify the following checks – Have the methods for creating test data been appropriate
for this system? Has sufficient test data been developed to adequately test the application software?
 Further the success of these tests directly influence these queries as, Have all the testing
techniques indicated in the test plan been scheduled for execution during testing phase?
Have the expected results from testing been determined? Has a process been established to
determine variance/deviation between expected results and actual results? Have both the
expected and actual results been documented when there’s a deviation between the two?
Audit procedures to control test data applications may include –
 controlling the sequence of submissions of test data where it spans several processing cycles
 performing test runs containing small amounts of test data before submitting the main
audit test data
 predicting the results of the test data and comparing it with the actual test data output, for
the individual transactions and in total
 confirming that the current version of the programs was used to process the test data; and
 testing whether the programs used to process the test data were the programs the entity
used throughout the applicable audit period.
1.5.3 Test data generation
Test data are designed through test tools such as correctness proof, data flow analysis and
control flow analysis. The stream of data that are generated by these tools is called as the test
data pack.
1.6 SOURCE CODE REVIEW
An auditor may decide to look into the internal working of a program to evaluate its quality.
The objectives are :
 Identifying erroneous code –whether the code is complying with its specifications.
 Identifying unauthorized code – a program that may exclude certain transactions during
normal data validation processes.
 Identifying ineffective code – whether the code meets user requirements.
 Identifying inefficient code – whether the code is redundant; just a drain of hardware and
software resources.
 Identifying non-standard code – the code may not comply with organizational standards
covering data item names or internal documentation.

INFORMATION TECHNOLOGY TRAINING 333

© The Institute of Chartered Accountants of India

 Computer Aided Audit Techniques
1.7 REVIEW METHODOLOGY
There are 7 steps involved in a source code review methodology.
 Select source code to be examined. The auditor is required to select source code that is
relevant to his new audit objectives. Risk assessment techniques can be applied to determine
the level of materiality associated with the source code.
 Review programming standards. By this review, auditor develops a set of expectations
about the characteristics of the code they will review – for e.g., the way labels are assigned
to variables, the way the programs are structured and the way the comments are placed
through out the program.
 Understand program specifications. This is to investigate, if the program does ‘what it is
written to do’. There are two ways by which the auditor can achieve this. One is to review
the documented program specifications and check the correspondence of the code with
these specifications. The other way is to interview users of the program to check their
understanding of ‘what the program does for them’.
 Obtain source code. The auditor needs to obtain the latest version of the source code.
 Review programming language used. The auditor should either be familiar with the
underlying language or must depend on someone to undertake the review.
 Review source code. The auditor draws a structure chart for the code being reviewed. A
structure chart is a hierarchy of modules within a program and interfaces amongst the
modules. He/she can cover the review from top-level modules to the bottom most modules
or just reverse the order or traverse branches as they appear in the structure chart.
The auditor can pay attention to certain details as use of reserved words; control structures
(conditions and loops) and others.
A tool by name cross reference lister may come handy during their review work.
 Formulate flaw hypotheses. If the auditor meets defects, he should expand the extent of
substantive tests to determine how the defects may impact the attainment of the program
objectives.
1.8 EXAMINATION OF AUDIT TRAIL
All material application-oriented events that occur within the boundary subsystem should be
recorded in the accounting audit trial. The following data associated with an event might be
kept :
 Identity of the would be user of the system.
 Authentication information supplied.
 Resources requested.
 Action privileges requested.
 Terminal identifier.
 Start and finish time.
 Number of sign-on attempts.
 Resources provided/denied, and
 Action privileges allowed/denied.

334 INFORMATION TECHNOLOGY TRAINING

© The Institute of Chartered Accountants of India

 Computer Aided Audit Techniques
 This data allows management or auditors to re-create the time series of events that occurs
when a user attempts to gain access to and employ system resources.
 Periodically the audit trail should be analyzed to detect any control weaknesses of the
system. Either manual or automated analyses can be undertaken. For example, a
management might scan the audit trail for unusual events. Alternatively, a program, such
as an intrusion-detection system, might be used.
 These systems monitor users to determine current behaviour conforms to past behaviour.
The audit trail is the source for building a profile of past behaviour.
 Much of the data collected in the accounting audit trail also serves the purposes of the
operations audit trail. For example, recording start and finish times and the resources
requested also facilitates analysis of resource usage within the sub system.
 As with the accounting audit trail, certain types of resource consumption might also be of
interest as the basis for detecting unauthorized activities. For eg., an intrusion-detection
system might monitor the amount of processor time consumed by the user to detect unusual
deviations from the amount of processor time requested by the user in the past.
1.8.1 Public Audit trail
Public audit trails are an important control in systems that use digital signatures for authentication
purposes. There are three events that should be recorded in the public audit trail :
 Registration of public keys
 Registration of signatures
 Notification of key compromises
Only the key server can record these events.
Each event is time stamped by the key server, and entries are recorded in ascending order by time.
The public audit trail is used in the following ways :
 First, any user can register a public key with the key server. The server validates this registration
by sending the public key back to the user encrypted under the server’s private key.
 The user decrypts the certificate under the server’s public key to check the validity of the
public key received by the server.
 The server records the registration of the public key on the audit trail.
 Second, any user can request another user’s public key. The server simply obtains the latest
public key from the audit trail and sends it inside a certificate to the user who requests the key.
 Third, signature certificates provided by the key server are recorded in the audit trail so a
particular private key is bound to a public key at a point in time.
 Finally, users notify the key server when their private keys are compromised, and the key
server writes a key – compromise message to the audit trail. The user’s liability for messages
signed under the compromised key is then limited.
1.9 RANDOM SAMPLING
The basic rule of sampling is simple, every member of the population should have an equal
chance of being included in the sample. However this is not practically possible in view of the
voluminous data that go into the computer systems through day-to-day transactions. Random
sampling might be the remedy. The mathematical concept of randomness requires the equal
probability of selection called for in the basic rule above. For example, popular expression might
equate taking a random sample with ‘investigating the last 100 transactions recorded.’

INFORMATION TECHNOLOGY TRAINING 335

© The Institute of Chartered Accountants of India

 Computer Aided Audit Techniques
Procedure
Step 1 - Construct a master list
 One should construct a list of all eligible entries in the population from which the sample
will be randomly selected.
Step 2 - Decide on the sample size
 The size of the sample is related directly to the size of the eligible population, the estimated
response rate, and the desired precision of the results.
 A Sample Size Calculator program has been developed to assist auditors in determining
the sample size requirements.
Step 3 - Select Clients
There are two popular methods for randomly selecting a sample of transactions :
(a) The simple random sampling method selects transactions from a list of all transactions based
on a random number assignment.
The steps for selecting transactions to be included in the sample would involve (1) assigning
a random number to every transaction in the list (say, by RAND() function), (2) sorting the
list in ascending order by the random number, (3) selecting the first ‘N’ records, where ‘N’
is the sample size estimate, and (4) assigning these records to the sample list.
(b) The systematic sampling method selects transactions based on a sampling rate, such as, every
fifth transaction recorded in the program will be included in the sample and put to scrutiny.
The method selected will depend on several factors such as how the information on the
transactions is stored (i.e., paper logbooks versus a computer database)
In some instances, no random selection method may be needed; instead, all clients in the
population of interest would be administered the questionnaire.
Step 4 - Document your sample
The final characteristic of a good sample is adequate documentation of the sampling process. It
should summarize the three previous steps, and include information on the size of the population
of interest, the size of the sample, and if possible the demographics of the population and the
sample.
Random Sampling using MS-Excel
In this example, we shall see how Excel 2007 can be used to select a random sample. A random
sampling feature is available in the Analysis Toolpak Add-in program. To load the Analysis
ToolPak add-in program follow these steps:

1. Click the Microsoft Office Button , and then click Excel Options.

2. Click Add-Ins, and then in the Manage box, select Excel Add-ins. Click Go.

336 INFORMATION TECHNOLOGY TRAINING

© The Institute of Chartered Accountants of India

 Computer Aided Audit Techniques
3. In the Add-Ins available box, select the Analysis ToolPak check box, and then click OK.
Tip: If Analysis ToolPak is not listed in the Add-Ins available box, click Browse to locate it.
If prompted, click Yes, to install the Analysis ToolPak.

Fig. 1.9.1: Add-Ins Dialog Box

Once it is installed, to access the Analysis ToolPak tools:
 Go to the Data Tab.

Fig. 1.9.2: Data Analysis Dialog Box

 Click Data Analysis in the Analysis Group.
To select a random sample follow these steps:
1. Create a data table as outlined on the next page or select a worksheet of desired choice
with similar field. Save the worksheet as rsample.xls.

INFORMATION TECHNOLOGY TRAINING 337

© The Institute of Chartered Accountants of India

 Computer Aided Audit Techniques

Fig. 1.9.3: Data

2. Go to Data tab and choose Data Analysis in the Analysis group as shown in figure below:

Fig. 1.9.4: Data Analysis Box

338 INFORMATION TECHNOLOGY TRAINING

© The Institute of Chartered Accountants of India

 Computer Aided Audit Techniques
3. Choose “Sampling” from the list of Analysis Tools. At this point the dialog box
shown below in the figure should open up.

Fig. 1.9.5: Sampling Dialog Box

4. Specify the Input Range, which should contain numeric data (Emp No column). In this
example, the Column A is a numeric field and we shall specify it as the Input Range and
then enter the number of samples items required (10). The output range is specified in the
same worksheet. Click OK, when finished.
5. Excel generates sample in the same worksheet. The output can also be generated in a separate
worksheet.
1.10 AUDIT SOFTWARE
Audit software consists of computer programs used by the auditor, as part of the audit procedures,
to process data of audit significance from the computer system. It may consist of generalized
audit software, specialized audit software or utility programs and existing entity programs :
 Generalized audit software consists of package computer programs designed to
perform a variety of data processing functions such as to read computer files, select
desired information, perform calculations and print reports in a format specified by
the auditor.
 Specialized audit software refers to computer programs designed to perform audit
tasks in specific circumstances. These programs may be prepared by the auditor, by
the entity or by an outside programmer engaged by the auditor.
 Utility programs and existing entity programs are used by the entity to perform
common data processing functions such as sorting, creating and printing computer
files. These computer programs are not usually.

INFORMATION TECHNOLOGY TRAINING 339

© The Institute of Chartered Accountants of India