CHAPTER 7

COMPUTER-ASSISTED AUDIT TOOLS AND TECHNIQUES

REVIEW QUESTIONS

1. What are the broad classes of input controls?

Response:
Field interrogation
Record interrogation
File interrogation

2. What types of errors do check digits detect?

Response:
Transcription errors
Single transposition errors
Multiple transposition errors

3. Give one example of an error that could be detected by a check digit control.
Response: An accounts receivable clerk incorrectly posts a$1,000 remittance advice to
customer account number 674534. The payment should have been posted to customer
account number 674543. This transposition error resulted in the payment being posted to
a legitimate, but incorrect account. A check digit routine could detected this error

4. What are the primary objectives of a batch control?

Response: The objective of batch control is to reconcile output
produced by the system with the input originally entered into the system. This provides
assurance that:
a. All records in the batch are processed.
b. No records are processed more than once.
c. An audit trail of transactions is created from input through processing to the
output stage of the system.

5. Classify each of the following as a field, record, or file interrogation:

a. Limit check
b. Validity check
c. Version check
d. Missing data check
e. Sign checks
f. Expiration date check
g. Numeric-alphabetic data check
h. Sequence check
i. Zero-value check
j. Header label check
k. Range check
l. Reasonableness check

Response
a. field
 b. field
c. file
d. field
e. record
f. file
g. field
h. record
i. field
j. file
k. field
l. record

6. What are the three common error-handling techniques discussed in the text.
Response:
Three common error handling techniques are (1) correct immediately, (2) create an error
file, and (3) reject the entire batch.

7. What are the white box audit techniques?

Response:
Tests Data method
Base case approach
Tracing
Integrated Test Facility (ITF)
Parallel Simulation

8. What are the three categories of processing controls?

Response:
a. run-to-run controls
b. operator intervention controls
c. audit trail controls

9. If all of the inputs have been validated before processing, then what purpose do
run-to-run controls serve?
Response: The run-to-run control is a control device to ensure that no records are lost,
unprocessed, or processed more than once for each of the computer runs (processes) that
the records must flow through.

10. What is the objective of a transaction log?

Response: One of the objectives of a transaction log is to create a separate, permanent
record of all transactions that have changed account balances.

11. How can spooling present an added exposure?

Response: The creation of an output file as an intermediate step in the printing process
presents an added exposure. A computer criminal may access the file and change it, copy
it, delete or use the information in it, or destroy it.
12. What is ITF?
Response: The integrated test facility (ITF) approach is an automated technique that
enables the auditor to test an application’s logic and controls during its normal operation.
ITF is one or more audit modules designed into the application during the systems
development process. In addition, ITF databases contain “dummy” or test master file
records integrated with legitimate records. During normal operations, the auditor can
insert test transactions, which are merged into the input stream with regular (production)
transactions and are processed against the dummy files

13. What is the purpose of a range check?

Response: Many times, data have upper and lower limits to their acceptable values. For
example, if the range of pay rates for hourly employees in a firm is between $18 and $30,
this control can examine the pay rate field of all payroll records to ensure that they fall
within this range. It would not detect an error where a correct pay rate of, say, $19 is
incorrectly entered as $29.

14. What is a reasonableness test?

Response: A reasonableness test determines if a value in one field, which has already
passed a limit check and a range check, is reasonable when considered along with other
data fields in the record. For example, an employee’s pay rate of 18 dollars per hour falls
within an acceptable range. However, this rate is excessive when compared to the
employee’s job skill code of 693; employees in this skill class never earn more than 12
dollars per hour.

15. What is the purpose of a redundancy test?

Response: Redundancy tests determine that an application processes each record only
once. Redundancy tests include reviewing record counts and recalculation of hash totals
and financial control totals.

16. What is a validity test?

Response: Validity tests ensure that the system processes only data values that conform
to specified tolerances. Audit tests would include designing data for range tests, field
tests, limit tests, and reasonableness tests. Validity tests also apply to transaction
approvals, such as verifying that credit checks and AP three-way-matches are properly
performed by the application.

17. What is tracing?

Response: Tracing is an audit technique that performs an electronic walk-through of the
application’s internal logic. It shows the instructions that are executed and the order of
their execution.

18. What is the purpose of a completeness test?

Response: Completeness tests identify missing data within a single record and/or entire
records missing from a batch. The types of tests performed are field tests, record
sequence tests, and recalculation of hash totals and financial control totals.

19. What is the white Box approach to application testing?

Response: The white-box approach requires the auditor to obtain an in-depth
 understanding of the internal logic of the application being tested so that he or she may
test the internal controls directly. White box techniques use small numbers of specially
created test transactions to verify specific aspects of an application’s logic and controls.
In this way, auditors are able to conduct precise tests, with known variables, and obtain
results that they can compare against objectively calculated results.

20. What is the primary disadvantage of ITF?

Response: The primary disadvantage of ITF is the potential for corrupting the data files
of the organization with test data. Steps must be taken to ensure that ITF test transactions
do not materially affect financial statements by being improperly aggregated with
legitimate transactions.

DISCUSSION QUESTIONS

1. The field calls for an “M” for married or an “S” for single. The entry is a “2.” What
control will detect this error?
Response: Numeric/alphabetic data checks or validity check

2. The firm allows no more than 10 hours of overtime a week. An employee entered
“15” in the field. Which control will detect this error?
Response: Limit check

3. The password was “CANARY”; the employee entered “CAANARY.” Which control
will detect this error?
Response: Validity check

4. The inventory item number was omitted on the purchase order. Which control will
detect this error?
Response: Missing data check

5. The order entry system will allow a 10 percent variation in list price. For example,
an item with a list price of $1 could be sold for 90 cents or $1.10 without any system
interference. The cost of the item is $3, but the cashier entered $2. Which control
would detect this error?
Response: Range check

6. How does privacy relate to output control?

Response: If the privacy of certain types of output is violated, for example, sensitive
information about clients or customers, a firm could be legally exposed.

7. Compare the three common error-handling techniques discussed in the text.

Response: Three common error handling techniques are (1) correct immediately, (2)
create an error file, and (3) reject the entire batch. (1) Correct Immediately. If the system
is using the direct data validation approach, error detection and correction can take place
during data entry. Upon detecting a keystroke error or an illogical relationship, the system
should halt the data entry procedure until the user corrects the error.
 (2) Create an Error File. When delayed validation is being used, such as in batch systems
with sequential files, individual errors should be flagged to prevent them from being
processed. At the end of the validation procedure, the records flagged as errors are
removed from the batch and placed in a temporary error holding file until the errors can
be investigated.
(3) Reject the Batch. Some forms of errors are associated with the entire batch and are not
clearly attributable to individual records. The most effective solution in this case is to
cease processing and return the entire batch to data control to evaluate, correct, and
resubmit.

8. Output controls ensure that output is not lost, misdirected, or corrupted and that
privacy is not violated. What are some output exposures, or situations where output
is at risk?
Response: Output is removed from the printer by the computer operator, separated into
sheets and separated from other reports, reviewed for correctness by the data control
clerk, and then sent through interoffice mail to the end user. Each stage in this process is a
point of potential exposure where the output could be reviewed, stolen, copied, or
misdirected. An additional exposure exists when processing or printing goes wrong and
produces output that is unacceptable to the end user. These corrupted or partially
damaged reports are often discarded in waste cans. Computer criminals have successfully
used such waste to achieve their illicit objectives.

9. Input validation includes field interrogation that examines the data in individual
fields. List four validation tests and indicate what is checked in each.
Response: Numeric-alphabetic checks look for the correct content in a field, numbers, or
letters; zero-value checks determine if necessary zeros are present; limit checks verify
that values are within preset limits; range checks verify the values fall within an
acceptable range. Other acceptable responses include missing data checks that look for
blank spaces, validity checks that compare actual values in a field against known
acceptable values, and check digit controls that identify keystroke errors in key fields.

10. What is record interrogation? Give two examples.

Response: Record interrogation examines the combination of fields in a record to
determine consistency. Record interrogation tests include reasonableness checks, sign
checks, sequence checks. Examples of record interrogation include: checking that pay
rate and job class agree, and checking that the balance in accounts payable is a credit, etc.

11. Explain how parallel simulation works.

Response: Parallel simulation involves creating a program that simulates key features or
processes of the application under review. The simulated application is then used to
reprocess the same transactions that the production application previously processed. The
results obtained from the simulation are reconciled with the results of the original
production run to determine if application processes and controls are functioning
correctly.

12. What are rounding error routines, and why are they used?
Response: Financial systems that calculate interest payments on bank accounts or
charges on mortgages and other loans employ special rounding error applications.
Rounding errors occur when the level of precision used in a calculation is greater than
that used for reporting. For example, interest calculations on bank account balances may
 have a precision of five decimal places, whereas only two decimal places are reported on
balances. If the remaining three decimal places are simply truncated, the total interest
reported for the total number of accounts will not equal the sum of the individual
calculations. The routine uses an accumulator to keep track of the rounding differences
between calculated and reported balances. When the accumulator exceeds one cent
positive or negative, the penny is added or subtracted from the current account.

13. How does the salami fraud get its name, and how does it work?
Response: The fraud scheme takes its name from the analogy of slicing large salami (the
total fraud) into many thin pieces. Each victim gets one of these small pieces and is
unaware of being defrauded. For example, a programmer, or someone with access to the
rounding program, can modify the rounding logic to perpetrating a salami fraud as
follows: at the point in the process where the algorithm should increase the current
customer’s account (that is, the accumulator value is > +.01), the program instead adds
one cent to the perpetrator’s account. Although the absolute amount of each fraud
transaction is small, given the hundreds of thousands of accounts processed, the total
amount of the fraud becomes significant over time

14. Discuss the black box approach, and explain how it is different from white box
approaches to testing application controls.
Response: The black box approach does not require the auditor to create test files or to
obtain a detailed knowledge of the application’s internal logic. Instead, auditors analyze
flowcharts and interview knowledgeable personnel in the client’s organization to
understand the functional characteristics of the application. With an understanding of
what the application is supposed to do, the auditor tests the application by reconciling
actual production transactions processed with output results. The output results are
analyzed to verify the application’s compliance with its functional requirements.
White box techniques require a detailed understanding of the application’s logic and
involve creating test data to verify the logic directly.

MULTIPLE CHOICE

1. d 17. b
2. c 18. a
3. a 19. c
4. d 20. c
5. c
6. a
7. c
8. d
9. c
10. c
11. d
12. d
13. d
14. c
15. b
16. c
PROBLEMS

1. Input Validation
Identify the types of input validation techniques for the following inputs to the payroll system.
Briefly explain the control provided by each of these techniques.
a. The payroll system accessed the payroll file.
b. New employee
c. Employee name
d. Employee number
e. Social Security number
f. Rate per hour or salary
g. Marital status
h. Number of dependents
i. Cost center
j. Regular hours worked
k. Overtime hours worked

Response:
a. File Interrogation. Verify internal label to ensure the correct file is being accessed.
b. Record Interrogation. Reasonableness and sequence checks to verify the entire record. Field
checks on pay rate and personal information to be entered: Validity check, missing data check,
sign checks, numeric-alphabetic data check.
c. Alphabetic check validates that letters are entered where only letters are required to be entered,
e.g., employee name.
d., Check digit to verify that the number is correct.
e. Missing data check, numeric check, validity check.
f. Range check, reasonableness check
g. Missing data check ensures that no blank fields are entered where data should be present, e.g.,
marital status, validity check
h. Reasonableness check, limit check. Missing data check.
i, Validity check.
j. limit check, missing data check
k. Reasonableness checks validate that only data within a pre-specified range is entered, e.g.,
number of hours worked greater than zero and less than 70.

2. IT Application Controls
IT application controls are classified as (a) input controls, (b) processing controls, and (c) output
controls.

Required:
For each of the three application control categories listed, provide two specific controls and
explain how each control contributes to ensuring the reliability of data. Use the following format
for your answer.
Control Specific Contribution to
Category Controls Data Reliability
Response:
Student answers will vary. Presented below are the three application control categories, with
examples of specific controls, and how they contribute to ensuring data reliability.

Control Category Specific Controls Contribution to Data

Reliability
Input Controls Check digit Helps prevent transactions
from being to incorrect
accounts because of
transcription and transposition
errors by data entry personnel
Internal label check Prevents access to the wrong
file that would destroy or
corrupt data.
Processing Controls Run-to-run controls These controls validate the
overall integrity of a batch of
transactions as it passes
through various processing
stages.
Transaction logs Provides a permanent record
of all transactions processed.
In an IT environment the
transaction log is the journal.
Output Controls Output spooling To reduce processing bottle
necks and limit access to data
by unauthorized persons large
and sensitive data files are
directed to spooling disks
while they awaiting available
printer resources.
Waste control Computer output waste
represents a potential risk.
Aborted reports and the carbon
copies from multipart paper
should be removed and
shredded

3. Input Controls and Data Processing

You have been hired by a catalog company to computerize its sales order entry forms.
Approximately 60 percent of all orders are received over the telephone, with the remainder either
mailed or faxed in. The company wants the phone orders to be input as they are received. The
mail and fax orders can be batched together in groups of fifty and submitted for data entry as they
become ready. The following information is collected for each order:
● Customer number (if a customer does not have one, one needs to be assigned)
● Customer name
● Address
● Payment method (credit card or money order)
● Credit card number and expiration date (if necessary)
● Items ordered and quantity
 ● Unit price

Required:
Determine control techniques to make sure that all orders are entered accurately into the system.
Also, discuss any differences in control measures between the batch and the real-time processing.

Response: For the phone orders, if a customer has a customer number, it should be verified
against a master file. If a customer needs to establish a customer number, one should be assigned,
and the customer’s name should be entered. A missing data check should be used to verify that a
first name, last name, and street address have been entered. If the firm has a U.S. zip code
database, the zip code can be entered and the city and town should appear.

The payment method should be a menu choice of credit cards that are accepted. The credit
card number should be entered into an alpha-numeric field as well as the expiration date—a
numeric field. Once the order is totaled, authorization with the credit card company will be
provided online. The item ordered should be entered and verified against an inventory master file.
The description should appear and be read to the customer and verified as accurate. The unit price
should automatically appear. The quantity should be entered, and a range check performed to see
if the order is reasonable.

For the batch processed data, customers without customer numbers should be placed into a
batch for adding and receiving customer numbers before the order can be processed. For those
orders with customer numbers, the data will be grouped into batches. Check digits will be
calculated for the customer numbers and the inventory items. Any records that have an invalid
customer number, invalid inventory item, check digits that do not match, or an unreasonable
quantity ordered will be written to an error file, and the rest of the orders will be processed. The
clean transactions should be sorted according to charge type and the credit card numbers verified.
Any rejected transactions will be sent to a special file from which letters will be sent to the
customer. The doubly-clean transactions will then be processed. The real-time processing
technique is more efficient because any errors can be resolved easily and immediately.

4. Write an essay explaining the following three methods of correcting errors in data entry:
immediate correction, creation of an error file, and rejection of the batch

Response:
Key Points
a. Immediate Correction: In the direct data validation approach, error detection and correction
take place during data entry. When an error or illogical relationship is entered, the system should
halt the data entry procedure until the error is corrected.
b. Creation of an Error File: In the delayed data validation approach, errors are flagged and
placed in an error file. Records with errors will not be processed until the error is investigated and
corrected.
c. Rejection of the Batch: Some errors are associated with the entire batch and are not
attributable to individual records. An example of this is a control total that does not balance. The
entire batch is placed in the error file and will be reprocessed when the error is corrected.
5. Many techniques can be used to control the input effort. Write a one-page essay
discussing three techniques.

Response:
Key Points
a. Source document controls are designed to control the documents used to initiate transactions
with pre-numbered source documents, used in sequence, and periodically accounted for.
b. Data coding controls are designed to check on the integrity of data by preventing transcription
errors and transposition errors.
c. Batch controls are designed to manage large volumes of data by repeatedly verifying totals of
specific fields, some financial and others nonfinancial.

6. The presence of an audit trail is critical to the integrity of the accounting information
system. Write a one-page essay discussing three of the techniques used to preserve the audit
trail.

Response:
Key Points
a. Transaction logs list all transactions successfully processed by the system and serve as journals,
and permanent records. Transactions that were not processed successfully should be recorded in
an error file.
b. After processing transactions, a paper transaction listing should be produced and used by
appropriate users to reconcile input.
c. Logs and listings of automatic transactions should be produced for transactions initiated
internally by the system.
d. Error listing should document all errors and be sent to appropriate users to support error
correction.

7. Write an essay comparing and contrasting the following audit techniques based on costs
and benefits:
● test data method
● base case system evaluation
● tracing
● integrated test facility
● parallel simulation

Response:
Key Points
The test data method is used to establish application integrity by processing specially prepared
sets of input data through production applications that are under review. The results of the test are
compared with the expected results. The base case system evaluation tests extend the test data
method; the test data set constrains all possible transaction types. Tracing is an electronic
walk-through of the application’s internal logic and analysis of the execution of each program
command line for a specific transaction. An integrated test facility is an automated technique that
enables the auditor to test an application’s logic and controls during its normal operations by
creating dummy transactions and files. This method promotes ongoing application auditing.
Parallel simulation involves creating a simulation of the transaction processing system and then
using actual transactions to determine if the results of processing reconcile with the organization’s
transaction processing system.