CHAPTER 7

Computer- Assisted Audit Tools

and Technique
 OPERATOR INVENTOR CONTROL

• System sometimes require operator invention to initiate certain actions,

such as entering control totals for a batch of records, providing parameter
values for logical operations, and activating a program from a different
point when reentering semi-proceeds error records.
• Operator Intervention increases the potential for human error.
• Systems that limit operator intervention through operator intervention
controls are thus less prone to processing errors.
 AUDIT TRAILS CONTROL
• The preservation of an Audit trail is an important objective of process
control. In an Accounting system, every transaction must be traceable
through each stage of processing for its economic source to its presentation
in Financial Statement .
• In an Automated environment , the Audit trail can become fragmented and
difficult to follow. It thus become critical that each major applied to a
transaction be thoroughly documented.
 AUDIT TRAILS CONTROL
• Techniques used to preserve Audit Trails in Computer based Accounting System:
1. Transaction Logs
-Every transaction successfully processed by the system should be recorded on a
transaction log, which serves as a Journal.
-The system should produce a hard copy transaction listing of all successful transaction. These
listing should go to appropriate users to facilitate reconciliation with input.
2 Reasons for Creating Transaction Log:
• First, The Transaction log is a permanent record of transactions. The Validated Transaction file
produced at the data input phase is usually a temporary file. Once processed, the records on this file
are erased (scratched) to make room for the next batch of transactions.
• Second, Not all of the records in the validated transaction file may be successfully processed. Some of
these records may fail test in the subsequent processing stages. A transaction log should contain only
Successful transactions-those that have changed account balances. Unsuccessful transaction should be
placed in an Error File. The transaction log and error files combined should account for all the
transactions in the batch. The Validated transaction file may then be scratched with no loss of data.
 AUDIT TRAILS CONTROL
2. Log of Automatic Transactions
-Some transactions are Triggered internally by the system. An Example of this is
when inventory drops below a preset reorder point, and the system automatically
processes a purchase order. To maintain an audit trail of these activities, all internally
generated transactions must be placed in a transaction log.
3. Listing of Automatic Transaction
-To maintain control over automatic transactions processed by the system, the
responsible end user should receive a detailed listing of all internally generated
transactions.
4. Unique Transaction Identifiers
-Each transaction processed by the system must be uniquely identified with a
transaction number. This is the only practical means of tracing a particular
transaction through a database of thousand or even millions of records.
 OUTPUT CONTROL
• Output Controls ensure that system output is not lost, misdirected, or
corrupted and that privacy is not violated. Exposures of this sort can cause
serious disruptions to operations and may result in financial losses to a firm.
• If the privacy of certain types of output is violated, a firm could have its
business objectives compromised. Or it could even become legally exposed.
 CONTROLLING BATCH SYSTEMS OUTPUT
• Batch System usually produce output in the form of hard copy, which typically requires the
involvement of intermediaries in its production and distribution.
Techniques for Controlling each phase in the output process:
• Output Spooling- In large-scale data-processing operations, output devices such as line printers can become
backlogged with many programs simultaneously demanding these limited resources. These backlogged can
cause a bottleneck, which adversely affects the through of the system. Applications waiting to print output
occupy computer memory and block other applications form entering the processing stream. To ease this
burden, applications are often designed to direct their output to a magnetic disk file rather than to the printer
directly. This is called Output Spooling.
The creation of an output file is an intermediate step in the printing process presents and added exposure. A
computer criminal may use this opportunity to perform any of the following unauthorized acts:
• Access the output file and change critical data values ( such as dollar amounts on checks).
Using this Technique, a criminal may effectively circumvent the processing controls designed into the application.
• Access the file and change the number of copies of output to be printed. The extra copies may then be removed
without notice during the printing stage
• Make a copy of the output file to produce illegal output reports
• Destroy the output file before output printing takes
 Techniques for Controlling each phase in the output process:

• Print Programs- When the printer becomes available, the print run program produces hard copy output from
the output file. Print programs are often complex systems that require operator intervention.
Four Common types of Operator Actions:
1. Pausing the print program to load the correct type of output documents (check stocks, invoices, or other
special forms)
2. Entering parameters needed by the print run , such as the number of copies to be printed.
3. Restarting the print run at a prescribed checkpoint after a printer malfunctions.
4. Removing printed output form the printer for review and distribution.
Print program control are designed to deal with two types of exposures presented by this environment:
(1)The production of unauthorized copies of output and
(2) Employee browsing of sensitive data.

• Bursting- When output reports are removed from the printer, they go to the bursting stage to have their pages
separated and collated. The concern here is that the bursting clerk may make an unauthorized copy of the report,
remove a page from the report, or read sensitive information, The primary control against these exposure is
supervision. For very sensitive reports, Bursting may be performed by the end user.
 Techniques for Controlling each phase in the output process:
• Waste- Computer output waste represents a potential exposure. It is important to dispose of aborted reports and
the carbon copies from multipart paper removed during bursting properly.
• Data Control- The Data Control group is responsible for verifying the accuracy of computer output before it is
distributed to the user.
• Report Distribution- The Primary Risks associated with report distribution include reports being lost, stolen, or
misdirected in transit to the user. A number of control measures can minimize these exposures.
Distribution Techniques can be used:
-The reports may be placed in a secure mailbox to which only the user has the key
-The user may be required to appear in person at he distribution center and sign for the report
-A security officer or special courier may deliver the report to the user.
• End User Controls- Once in the hand of the user, output reports should be reexamined for any errors that may
have evaded the data control clerk’s review. Users are in a far better position to identify subtle errors in reports
that are not disclosed by an imbalance on control totals.
Factors Influencing the length of time a Hard Copy report in retained Include:
-Statutory requirements specified by government agencies, such as IRS
-The number of Copies of the report in Existence
-The existence of magnetic or optical images of reports that can act as permanent backup
CONTROLLING REAL-TIME SYSTEMS OUTPUT
• Real Time System direct their output to the user’s computer screen, terminal, or
printer. This method of distribution eliminates the various intermediaries in the
journey from the computer center to the user and thus reduced many of the
exposures previously discussed.
Types of Exposure:
(1) Exposures form equipment failure
(2)Exposures form subversive acts, whereby a computer criminal intercepts the
output message transmitted between the sender and the receiver.
 TESTING COMPUTER APPLICATION CONTROLS
Control testing techniques provide information about the accuracy and completeness of an application’s processes. These Tests
follow two general approaches: (1) The Black Box (around the computer) approach and (2) The White Box (through the computer)
approach.
• BLACK-BOX APPROACH
-Auditors testing with the Black-Box approach do not rely on a detailed knowledge of the applications internal logic.
-The ADVANTAGE of the black box approach is that the application need to be removed from service and tested directly. This
approach is feasible for testing applications that are relatively simple.
• WHITE-BOX APPROACH
-The white box approach relies on an in-depth understanding of the internal logic of the application being tested. The white box
approach includes several techniques for testing application logic directly. These techniques use small numbers of specially created
test transactions to verify specific aspects of an application’s logic and control.
Types of Tests of Control:
• Authenticity Test- which verify that the individual, programmed procedure, or a message (such as an EDI transmission)
attempting to access a system is authentic. Authenticity Control include user IDs, passwords, valid vendor codes, and authority
tables.
• Accuracy Test- which ensure that the system processes only data values that conform to specified tolerances. Ex include range
tests, and limit tests.
• Completeness Tests- which identify missing data within a single record and entire records missing from a batch. The types of
tests performed are field tests, record sequence test, hash totals and control totals.
Types of Tests of Control:
• Redundancy Tests- which determines that an application processes each record only once.
Redundancy control include the reconciliation of batch totals, record counts, hash totals, and
financial control totals.
• Access Tests- which ensure that the application prevents authorized users from unauthorized
access to data. Access control includes passwords, authority tables, user-defined procedures,
data encryptions and inference controls.
• Audit Trail Tests- which ensure that the application creates an adequate audit trail. This includes
evidence that the application records all transaction in a transaction log, posts data values to the
appropriate accounts, produces complete transaction listings, and generates error files and
reports for all exception.
• Rounding Error Tests- which verify the correctness of rounding procedure. Rounding errors
occur in accounting information when the level of precision used in the calculation is greater than
that used in the reporting.
-Rounding programs are particularly susceptible to Salami Frauds. Salami frauds
tend to affect a large number of victims, but the harm to each is immaterial. This type
of fraud takes its name from the analogy of slicing a large salami into many thin
pieces.
 COMPUTER-AIDED AUDIT TOOLS AND
TECHNIQUES FOR TESTING CONTROLS
• Test Data Method
-The test Data Method is used to establish application integrity by processing specially prepared sets of input data through
production applications that are under review. The result of each test are compared to predetermined expectations to obtain an
objective evaluation of application logic and control effectiveness.
• Creating Test Data
-Auditors must prepare a complete set of both valid and invalid transactions. If test data are incomplete, auditors might fail to
examine critical branches of application logic and error-checking routines.
• Base Case System Evaluation
-When the set of test data in use in comprehensive, the technique is called the Base case system evaluation (BCSE). BCSE tests
are conducted with a set of test transaction containing all possible transaction types.
• Tracing
-Another type of the test data technique called tracing performs an electronic walk-through of the applications internal logic.
Three Steps of Tracing:
1. The Application under review must undergo a special compilation to activate the trace option.
2. Specific transaction or types of transaction are created as test data
3. The test data transaction are traced through all processing stages of the program, and a listing is produced of all
programmed instructions that were executed during the test.
• Advantages of Test Data Techniques
There are three primary advantage of all test data techniques:
(1) They employ through the computer testing
(2) If properly planned, test data runs can be employed with only minimal disruption to the organization’s operation.
(3) They require only minimal computer expertise on the part of auditors.
• Disadvantages of Test Data Techniques
There are three primary disadvantage of all test data techniques:
(1) Auditors must rely on computer services personnel to obtain a copy of the application for test purposes.
(2) They provide a static picture if application integrity at a single point in time.
(3) Their relatively high cost of implementation, which results in audit inefficiency.
• Advantages of ITF
Two advantages of ITF:
(1) ITF supports ongoing monitoring of controls as required by SAS 78.
(2) Applications with ITF can be economically tested without disrupting the user’s operations and without intervention of
computer services personnel.
• Disadvantages of ITF
The primary disadvantage of ITF is the potential for corrupting the data files of the organization with test data.
• The Integrated Test Facility
-The Integrated Test Facility (ITF) approach is an automated technique that enables the auditor to test an application’s logic an controls
during its normal operation.
-Is one or more audit modules designed into the application during the systems development process
-ITF databases contain “dummy” or test master file records integrated with legitimate records.
This problem is remedied in two ways:
(1) Adjusting entries may be processed to remove the effects of ITF form general Ledger account balances.
(2) Data files can be scanned by special software that remove the ITF transaction.

• Parallel Simulation
Parallel Simulation requires the auditor to write a program that simulates key features or processes of the application
under review. The simulated application is then used to reprocess transactions that were previously processed by the
production application.
• Creating a Simulation Program
A Simulation program can be written in any programming language. however, because of the one-time nature of this task, it is a
candidate for fourth-generation language generators.
Steps in Parallel Simulation Testing:
1. The Auditor must first gain a thorough understanding of the application under review
2. The Auditor must then identify those processes and controls in the application that are critical to the audit.
3. The Auditor creates the simulation using 4GL or generalized audit software (GAS)
4. The Auditor runs the simulation program using selected production transaction and master files to produce a set of results.
5. Finally, The Auditor evaluates and reconciles the test results with the production results produced in previous run.