Computer-Aided Audit Tools and Techniques: IT Auditing, Hall, 3e

Chapter 7:
Computer-Aided Audit Tools

and Techniques
IT Auditing, Hall, 3e
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated,
or posted to a publicly accessible website, in whole or in part.
Introduction to Input Controls
Designed to ensure that the transactions that bring

data into the system are valid, accurate, and
complete
Data input procedures can be either:

Source document-triggered (batch)
Direct input (real-time)
Source document input requires human

involvement and is prone to clerical errors.
Direct input employs real-time editing techniques to

identify and correct errors immediately
2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

copied
3e or duplicated,
Classes of Input Controls

1) Source document controls
2) Data coding controls
3) Batch controls
4) Validation controls
5) Input error correction
6) Generalized data input
systems
copied
3e or duplicated,
#1-Source Document Controls

Controls in systems using physical source
documents
Source document fraud
To control for exposure, control procedures
are needed over source documents to

account for each one
Use pre-numbered source documents

Use source documents in sequence
Periodically audit source documents

copied
3e or duplicated,
#2-Data Coding Controls

Checks on data integrity during processing
Transcription errors
Addition errors, extra digits
Truncation errors, digit removed
Substitution errors, digit replaced
Transposition errors
Single transposition: adjacent digits transposed (reversed)
Multiple transposition: non-adjacent digits are transposed
Control = Check digits

Added to code when created (suffix, prefix,
embedded)
Sum of digits (ones): transcription errors only
Modulus 11: different weights per column: transposition and
transcription errors
Introduces storage and processing inefficiencies

copied
3e or duplicated,
#3-Batch Controls
Method for handling high volumes of
transaction data esp. paper-fed IS

Controls of batch continues thru all phases of
system and all processes (i.e., not JUST an

input control)
1) All records in the batch are processed together
2) No records are processed more than once
3) An audit trail is maintained from input to output
Requires grouping of similar input transactions

copied
3e or duplicated,
#3-Batch Controls
Requires controlling batch throughout
Batch transmittal sheet (batch control record) Figure

7-1
Unique batch number (serial #)

A batch date
A transaction code
Number of records in the batch
Total dollar value of financial field
Sum of unique non-financial field
Hash total
E.g., customer number
Batch control log Figure 7-3
Hash totals

copied
3e or duplicated,
#4-Validation Controls
Intended to detect errors in data
before processing
Most effective if performed close to
the source of the transaction

Some require referencing a master
file
copied
3e or duplicated,
#4-Validation Controls
Field Interrogation
Missing data checks
Numeric-alphabetic data checks
Zero-value checks
Limit checks
Range checks
Validity checks
Check digit
Record Interrogation
Reasonableness checks
Sign checks
Sequence checks
File Interrogation
Internal label checks (tape)
Version checks
Expiration date check
copied
3e or duplicated,
#5-Input Error Connection

Batch correct and resubmit
Controls to make sure errors dealt with
completely and accurately

1) Immediate Correction
2) Create an Error File
Reverse the effects of partially
processed, resubmit corrected records

Reinsert corrected records in
processing stage where error was
detected
3) Reject the Entire Batch

copied
3e or duplicated,
10
#6-Generalized Data Input Systems

(GDIS)
Centralized procedures to manage data input
for all transaction processing systems

Eliminates need to create redundant routines
for each new application
Advantages:
Improves control by having one common
system perform all data validation

Ensures each AIS application applies a
consistent standard of data validation
Improves systems development efficiency
copied
3e or duplicated,
11
#6-GDIS
Major components:
1) Generalized Validation Module

2) Validated Data File
3) Error File
4) Error Reports
5) Transaction Log

copied
3e or duplicated,
12
Classes of Processing Controls

1) Run-to-Run Controls
2) Operator Intervention
Controls
3) Audit Trail Controls

copied
3e or duplicated,
13
#1-Run-to-Run (Batch)
Use batch figures to monitor

the batch as it moves from
one process to another
1) Recalculate Control Totals
2) Check Transaction Codes
3) Sequence Checks

copied
3e or duplicated,
14
#2-Operator Intervention
When operator manually enters

controls into the system
Preference is to derive by logic

or provided by system

copied
3e or duplicated,
15
#3-Audit Trail Controls
Every transaction becomes traceable from

input to output
Each processing step is documented
Preservation is key to auditability of AIS
Transaction logs
Log of automatic transactions
Listing of automatic transactions
Unique transaction identifiers [s/n]
Error listing

copied
3e or duplicated,
16
Output Controls
Ensure system output:

1)
2)
3)
4)
Not misplaced
Not misdirected
Not corrupted
Privacy policy not violated
Batch systems more susceptible to exposure,

require greater controls
Controlling Batch Systems Output
Many steps from printer to end user

Data control clerk check point
Unacceptable printing should be shredded
Cost/benefit basis for controls
Sensitivity of data drives levels of controls

copied
3e or duplicated,
17
Output Controls
Output spooling risks:

Access the output file and change
critical data values
Access the file and change the
number of copies to be printed
Make a copy of the output file so
illegal output can be generated
Destroy the output file before printing
take place

copied
3e or duplicated,
18
Output Controls
Print Programs
Operator Intervention:
1) Pausing the print program to load output paper
2) Entering parameters needed by the print run
3) Restarting the print run at a prescribed checkpoint after a
printer malfunction
4) Removing printer output from the printer for review and
distribution
Print Program Controls

Production of unauthorized copies
Employ output document controls similar to source document

controls
Unauthorized browsing of sensitive data by employees

Special multi-part paper that blocks certain fields

copied
3e or duplicated,
19
Output Controls
Bursting
Supervision
Waste
Proper disposal of aborted copies
and carbon copies
Data control
Data control group verify and log
Report distribution
Supervision

copied
3e or duplicated,
20
Output Controls
End user controls

End user detection
Report retention:
Statutory requirements (govt)

Number of copies in existence
Existence of softcopies (backups)
Destroyed in a manner consistent
with the sensitivity of its contents

copied
3e or duplicated,
21
Output Controls
Controlling real-time systems output
Eliminates intermediaries
Threats:
Interception
Disruption
Destruction
Corruption
Exposures:
Equipment failure
Subversive acts
Systems performance controls (Ch. 2)
Chain of custody controls (Ch. 5)

copied
3e or duplicated,
22
Testing Computer Application

Controls
1) Black box (around)
2) White box (through)

copied
3e or duplicated,
23

Controls Black Box
Ignore internal logic of application
Use functional characteristics
Flowcharts
Interview key personnel
Advantages:
Do not have to remove application from

operations to test it
Appropriately applied:
Simple applications
Relative low level of risk

copied
3e or duplicated,
24

Controls White Box
Relies on in-depth understanding of the
internal logic of the application

Uses small volume of carefully crafted,
custom test transactions to verify specific
aspects of logic and controls
Allows auditors to conduct precise test with
known outcomes, which can be compared
objectively to actual results

copied
3e or duplicated,
25
White Box Test Methods

1) Authenticity tests:
Individuals / users
Programmed procedure
Messages to access system (e.g., logons)
All-American University, student lab: logon, reboot,
logon *
2) Accuracy tests:
System only processes data values that conform

to specified tolerances
3) Completeness tests:
Identify missing data (field, records, files)

copied
3e or duplicated,
26
White Box Test Methods

4) Redundancy tests:
Process each record exactly once
5) Audit trail tests:
Ensure application and/or system creates an

adequate audit trail
Transactions listing
Error files or reports for all exceptions
6) Rounding error tests:
Salami slicing
Monitor activities excessive ones are serious
exceptions; e.g, rounding and thousands of
entries into a single account for $1 or 1

copied
3e or duplicated,
27
Computer Aided Audit Tools and

Controls(CAATTs)
1) Test data method
2) Base case system evaluation
3) Tracing
4) Integrated Test Facility [ITF]
5) Parallel simulation
6) GAS
copied
3e or duplicated,
28
#1 Test Data
Used to establish the application processing
integrity
Uses a test deck
Valid data
Purposefully selected invalid data
Every possible:
Input error
Logical processes
Irregularity
Procedures:
1) Predetermined results and expectations
2) Run test deck
3) Compare
copied
3e or duplicated,
29
#2 Base Case System

Evaluation (BCSE)
Variant of Test Data method
Comprehensive test data
Repetitive testing throughout SDLC
When application is modified, subsequent test
(new) results can be compared with previous

results (base)

copied
3e or duplicated,
30
#3 Tracing
Test data technique that takes step-by-step
walk through application

1) The trace option must be enabled for the application
2) Specific data or types of transactions are created as
test data
3) Test data is traced through all processing steps of
the application, and a listing is produced of all lines of

code as executed (variables, results, etc.)
Excellent means of debugging a faculty
program

copied
3e or duplicated,
31
Test Data: Advantages and Disadvantages

Advantages of test data
1) They employ white box approach, thus providing explicit
evidence
2) Can be employed with minimal disruption to operations
3) They require minimal computer expertise on the part of
the auditors
Disadvantages of test data

1) Auditors must rely on IS personnel to obtain a copy of
the application for testing

2) Audit evidence is not entirely independent
3) Provides static picture of application integrity
4) Relatively high cost to implement,
auditing inefficiency
copied
3e or duplicated,
32
#4 Integrated Test Facility

ITF is an automated technique that allows auditors
to test logic and controls during normal operations

Set up a dummy entity within the application system
1) Set up a dummy entity within the application system
2) System able to discriminate between ITF audit module
transactions and routine transactions

3) Auditor analyzes ITF results against expected results

copied
3e or duplicated,
33
#5 Parallel Simulation
Auditor writes or obtains a copy of the program that
simulates key features or processes to be reviewed

/ tested
1) Auditor gains a thorough understanding of the application
under review
2) Auditor identifies those processes and controls critical to
the application
3) Auditor creates the simulation using program or
Generalized Audit Software (GAS)
4) Auditor runs the simulated program using selected data
and files
5) Auditor evaluates results and reconciles differences

copied
3e or duplicated,
34

Computer-Aided Audit Tools and Techniques: IT Auditing, Hall, 3e

Uploaded by

Copyright:

Available Formats

Computer-Aided Audit Tools and Techniques: IT Auditing, Hall, 3e

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Computer-Aided Audit Tools and Techniques: IT Auditing, Hall, 3e

Uploaded by

Copyright:

Available Formats

Chapter 7:

Computer-Aided Audit Tools

Introduction to Input Controls

Designed to ensure that the transactions that bring

Data input procedures can be either:

Source document input requires human

Direct input employs real-time editing techniques to

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

Classes of Input Controls

#1-Source Document Controls

are needed over source documents to

Use pre-numbered source documents

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

#2-Data Coding Controls

Control = Check digits

Introduces storage and processing inefficiencies

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

transaction data esp. paper-fed IS

system and all processes (i.e., not JUST an

Requires grouping of similar input transactions

Batch transmittal sheet (batch control record) Figure

Unique batch number (serial #)

Batch control log Figure 7-3

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

the source of the transaction

#5-Input Error Connection

completely and accurately

processed, resubmit corrected records

3) Reject the Entire Batch

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

#6-Generalized Data Input Systems

for all transaction processing systems

system perform all data validation

1) Generalized Validation Module

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

Classes of Processing Controls

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

Use batch figures to monitor

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

When operator manually enters

Preference is to derive by logic

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

#3-Audit Trail Controls

Every transaction becomes traceable from

Each processing step is documented

Preservation is key to auditability of AIS

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

Ensure system output:

Batch systems more susceptible to exposure,

Many steps from printer to end user

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

Output spooling risks:

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

Print Program Controls

Employ output document controls similar to source document

Unauthorized browsing of sensitive data by employees

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,