lOMoARcPSD|5631526

Topic 07 Computer-Assisted Audit Tools and Techniques

Audit in CIS Environment (University of the Immaculate Conception)

Scan to open on Studocu

Studocu is not sponsored or endorsed by any college or university

Downloaded by Christian De Guzman ([email protected])
 lOMoARcPSD|5631526

Topic 7 Computer-Assisted Audit Tools and Techniques

COMPUTER-ASSISTED AUDIT TOOLS AND TECHNIQUES

IT application controls are associated with specific applications such as payroll, purchases, and cash
disbursements systems, and fall into three broad categories: input controls, processing controls and output
controls.

Input Controls are programmed procedures which perform tests on transaction data to ensure that they are free
from errors before they are processed.

Input controls fall into three categories: field, record, and file interrogation.

Field Interrogation involves programmed procedures that examine the characteristics of the data in the field.

• Check Digit – a control digit that is added to the data code to detect common errors in data submitted for
processing.
• Missing Data Check – are used to examine the contents of a field for the presence of blank spaces.
• Numeric-Alphabetic Check – identifies when data in a particular field are in the wrong form.
• Limit Check – determines if the value in the field exceeds an authorized limit.
• Range Check – this control ensures that data inputs fall within rightful range.
• Validity Check – compares actual field values against known acceptable values to determine the
authenticity of the input.

Record Interrogation procedures validate the entire record by examining the interrelationship of its field values.

• Reasonableness Check – determines if a value in one field, which has already passed a limit check and
a range check, is reasonable when considered along with other data fields in the record.
• Sign Check – verifies that the sign of a field is correct for the type of record being processed.
• Sequence Check – used to determine if a record is out of order.

File Interrogation ensures that the correct file is being processed by the system.

• Internal and external label checks – verifies that the file being processed is the one the program is
actually calling for.
• Version Checks – used to verify that the version of the file being processed is the correct one.
• Expiration Date Check – prevents a file from being deleted before it expires.

Processing Controls are programmed procedures designed to ensure that an application’s logic is functioning
properly.

They are divided into three categories: run-to-run controls, operator intervention controls, and audit trail
controls.

Run-to-run Controls are designed to monitor the batch as it moves from one run to another

• Input Error Correction ensures that errors are dealt with completely and correctly.

There are three common error handling techniques: (1) correct immediately, (2) create an error file, and (3)
reject the entire batch.

Correct Immediately – Upon detecting a keystroke error or an illogical relationship, the system will flag this and
allow the data entry clerk to correct the error.

Auditing in a CIS Environment 1

Prepared by: Myss Jhenn

Downloaded by Christian De Guzman ([email protected])

 lOMoARcPSD|5631526

Topic 7 Computer-Assisted Audit Tools and Techniques

Create an Error File – At the end of the validation procedure, the records flagged as errors are removed from the
batch and placed in a temporary error holding file until the errors can be investigated.

Reject the Batch – Some forms of errors are associated with the entire batch and are not clearly attributable to
individual records. The most effective solution in this case is to cease processing and investigate whether this is a
data control problem or a programming error in the run.

• Hash Totals refers to a simple control technique that uses non-financial data to keep track of the records
in a batch.

Operator Intervention Controls limit operator intervention thus less to processing errors.

• Audit Trail Controls – the preservation of an audit trail to make every transaction in the accounting
system be traceable through each stage of processing from its economic source to its presentation in
financial statements.
• Transaction Logs – every transaction successfully processed by the system should be recorded on a
transaction log, which serves as a journal.
• Log of Automatic Transactions – Some transactions are triggered internally by the system. To maintain
an audit trail of these activities, all internally generated transactions must be placed in a transaction log.
• Listing of Automatic Transactions – to maintain control over automatic transactions processed by the
system, the responsible end user should receive a detailed listing of internally generated transactions.
• Unique Transaction Identifiers – Each transaction processed by the system must be uniquely identified
with a transaction number.
• Error Listing – A listing of all error records should go to the appropriate user to support error correction
and resubmission.

Output Controls ensure that system output is not lost, misdirected, or corrupted and that privacy is not violated.

Controlling Batch Systems Output

• Output Spooling – in a large-scale data-processing operations output devices such as line printers can
become backlogged with many programs simultaneously demanding these limited resources. To ease
this burden, applications are often designed to direct their output to a magnetic disk file rather than to the
printer directly.
• Print Programs – when the printer becomes available, the print run program produces hard copy output
from the output file.
• Bursting – when output reports are removed from the printer, they go to the bursting stage to have their
pages separated and collated.
• Waste – Computer output waste represents a potential risk. It is important to dispose of aborted reports
and the carbon copies from multipart paper removed during bursting properly.
• Data Control – in some organizations, the data control group is responsible for verifying the accuracy of
computer output before it is distributed to the user. Normally, the data control clerk will review the batch
control figures for balance; examine the report body for garbled, illegible, and missing data, and record
the receipt of the report in data control’s batch control log.
• Report Distribution – The primary risks associated with report distribution include reports being lost,
stolen, or misdirected in transit to the user. A number of control measures can minimize these exposures.
• End User Controls – Once in the hands of the user, output reports should be re-examined for any errors
that may have evaded the data control clerk’s review. Users are in a far better position to identify subtle
errors in reports that are not disclosed by an imbalance in control totals.

Auditing in a CIS Environment 2

Prepared by: Myss Jhenn

Downloaded by Christian De Guzman ([email protected])

 lOMoARcPSD|5631526

Topic 7 Computer-Assisted Audit Tools and Techniques

Controlling Real-Time Systems Output – Real-time systems direct their output to the user’s computer screen,
terminal, or printer. This method of distribution eliminates the various intermediaries in the journey from the
computer center to the user and thus reduces many of the exposures previously discussed. The primary threat to
real-time output is the interception, disruption, destruction, or corruption of the output message as it passes along
the communications link.

This threat comes from two types of exposures: (1) exposures from equipment failure; and (2)
exposures from subversive acts.

Computer Application Controls – control testing techniques provide information about the accuracy and
completeness of an application’s processes. These tests follow two general approaches: (1) the black-box
(around the computer) approach and (2) the white-box (through the computer) approach.

Black-Box Approach (also called auditing around the computer) does not require the auditor to obtain a detailed
knowledge of the application’s internal logic. Instead, auditors analyse flowcharts and interview knowledgeable
personnel in the client’s organization to understand the functional characteristics of the application. With an
understanding of what the application is supposed to do, the auditor tests the application by reconciling actual
production transactions processed with actual output results. The output results are analysed to verify the
application’s compliance with its functional specifications.

White-Box Approach (also called auditing through the computer) requires the auditor to obtain an in-depth
understanding of the internal logic of the application being tested so that he or she may test internal controls
directly. White-box techniques use small numbers of specially created test-transactions to verify specific aspects
of an application’s logic and controls. In this way, auditors are able to conduct precise tests, with known variables,
and obtain results that they can compare against objectively calculated results.

Some of the more common types of tests of controls include the following:

• Access Tests verify that individuals, programmed procedures or messages (such as electronic data
interchange transmissions attempting to access a system are authentic and valid. Access tests include
verifications of user IDs, passwords, valid vendor codes, and user authority tables.
• Validity Tests ensure that the system processes only data values that conform to specified tolerances.
Audit tests would include designing data for range tests, field tests, limit tests, and reasonableness tests.
• Accuracy Tests ensure that mathematical calculations are accurate and posted to the correct accounts.
• Completeness Tests identify missing data within a single record and/or entire records missing from a
batch. The types of tests performed are field tests, record sequence tests, and recalculation of hash totals
and financial control totals.
• Redundancy Tests determine that an application processes each record only once. Redundancy tests
include reviewing record counts and recalculation of hash totals and financial control totals.
• Audit Trail Tests ensure that the application creates an adequate audit trail. Tests include obtaining
evidence that the application records all transactions in a transaction log (journal), posts data values to
the appropriate accounts, produces complete transaction listings, and generates error files and reports for
all exceptions.
• Rounding Error Tests verify the correctness of rounding procedures. Rounding error occur when the
level of precision used in a calculation is greater than that used for reporting.

Auditing in a CIS Environment 3

Prepared by: Myss Jhenn

Downloaded by Christian De Guzman ([email protected])

 lOMoARcPSD|5631526

Topic 7 Computer-Assisted Audit Tools and Techniques

Computer-Aided Audit Tools and Techniques for Testing Controls

Test-Data Method is used to establish application integrity by processing specially prepared sets of input data
through production applications that are under review. The results of each test are compared to predetermined
expectations to obtain an objective evaluation of application logic and control effectiveness.

Advantage: (1) provides the auditor with explicit evidence concerning application functions. (2) Test data runs
can be employed with only minimal disruption to the organization’s operations. (3) They require only minimal
computer expertise on the part of auditors.

Disadvantage: (1) auditors must rely on computer services personnel to obtain a copy of the application for test
purposes. (2) Provides a static picture of application integrity at a single point in time. (3) High cost of
implementation.

Integrated Test Facility approach is an automated technique that enables the auditor to test an application’s
logic and controls during its normal operation. ITF databases contain “dummy” or test master file records
integrated with legitimate records. ITF audit modules are designed to discriminate between ITF transactions and
routine production data.

Advantages: (1) supports on-going monitoring of controls as specified by COSO control framework. (2)
Applications with ITF can be economically tested without disrupting the user’s operations and without the
intervention of computer services personnel.

Disadvantage: potential for corrupting the data files of the organization with test data.

Parallel Simulation requires the auditor to write a program that simulates key features or processes of the
application under review. The simulated application is then used to reprocess transactions that were previously
processed by the production application. The results obtained from the simulation are reconciled with the results
of the original production run to establish a basis for making inferences about the quality of application processes
and controls

Auditing in a CIS Environment 4

Prepared by: Myss Jhenn

Downloaded by Christian De Guzman ([email protected])