Computer-Assisted Audit

Tools and Techniques

Chapter 7
Application Controls
• Input Controls
• Source document controls
• Use Pre-numbered Source Documents
• Use Source Documents in Sequence
• Periodically Audit Source Documents
• Data coding controls
• Transcription errors
• Addition errors
• Truncation errors
• Substitution errors
• Transposition errors
• Single transposition errors
• Multiple transposition errors
 • Check Digits
• A check digit is a control digit (or digits) added to the code when it is originally assigned that
allows the integrity of the code to be established during subsequent processing.
• Batch controls
• Batch controls are an effective method of managing high volumes of transaction data
through a system. The objective of batch control is to reconcile output produced by the
system with the input originally entered into the system.
• Hash Totals
• The term hash total, which was used in the preceding discussion, refers to a simple control
technique that uses nonfinancial data to keep track of the records in a batch.
• Validation controls
• Input validation controls are intended to detect errors in transaction data before the data
are processed.
• Field interrogation involves programmed procedures that examine the characteristics of
the data in the field.
• Missing data checks are used to examine the contents of a field for the presence of blank
spaces.
• Numeric-alphabetic data checks determine whether the correct form of data is in a field.
• Zero-value checks are used to verify that certain fields are filled with zeros.
• Limit checks determine if the value in the field exceeds an authorized limit.
• Range checks assign upper and lower limits to acceptable data values.
• Validity checks compare actual values in a field against known acceptable values.
• Check digit controls identify keystroke errors in key fields by testing the internal validity of
the code.
• Record interrogation procedures validate the entire record by examining the
interrelationship of its field values.
 • Reasonableness checks determine if a value in one field, which has already passed a limit check
and a range check, is reasonable when considered along with other data fields in the record
• Sign checks are tests to see if the sign of a field is correct for the type of record being processed.
• Sequence checks are used to determine if a record is out of order.
• File interrogation ensures that the correct file is being processed by the system.
• Internal label checks verify that the file processed is the one the program is actually calling for.
• Version checks are used to verify that the version of the file being processed is correct.
• Expiration date check prevents a file from being deleted before it expires.
• Input error correction
• Correct Immediately
• Create an Error File
• Reject the Batch
• Generalized data input systems
• Generalized validation module
• The generalized validation module (GVM) performs standard validation routines that are
common to many different applications.
• Validated data file
• This is a temporary holding file through which validated transactions flow to their respective
applications.
• Error file
• Error records detected during validation are stored in the file, corrected, and then resubmitted
to the GVM.
• Error reports
• Standardized error reports are distributed to users to facilitate error correction.
 • Transaction log
• The transaction log is a permanent record of all validated transactions.

• Processing Controls
• Run-to-Run Controls
• Recalculate Control Totals
• Transaction Codes
• The transaction code of each record in the batch is compared to the transaction code contained
in the control record.
• Sequence Checks
• The sequence check control compares the sequence of each record in the batch with the
previous record to ensure that proper sorting took place.
• Operator Intervention Controls
 • Audit Trail Controls
• Transaction Logs
• Log of Automatic Transactions
• Listing of Automatic Transactions
• Unique Transaction Identifiers
• Error Listing
• Output Controls
• Output controls ensure that system output is not lost, misdirected, or corrupted
and that privacy is not violated.
• Controlling Batch Systems Output
• Output Spooling
• Print Programs
• Bursting
• Waste
• Data Control
• Report Distribution
• End User Controls
• Controlling Real-Time Systems Output
Testing Computer Application Controls
• Black-Box Approach
• Auditors testing with the black-box approach do not rely on a detailed
knowledge of the application’s internal logic.
• White-Box Approach
• The white-box approach relies on an in-depth understanding of the internal
logic of the application being tested.
• Authenticity tests verify that an individual, a programmed procedure, or a message
attempting to access a system is authentic.
• Accuracy tests ensure that the system processes only data values that conform to
specified tolerances.
• Completeness tests identify missing data within a single record and entire records missing
from a batch.
• Redundancy tests determine that an application processes each record only once.
• Access tests ensure that the application prevents authorized users from unauthorized
access to data.
• Audit trail tests ensure that the application creates an adequate audit trail.
• Rounding error tests verify the correctness of rounding procedures.
Computer-Aided Audit Tools and Techniques
for Testing Controls
• Test Data Method
• The test data method is used to establish application integrity by processing
specially prepared sets of input data through production applications that are
under review.
• Creating Test Data
• Base Case System Evaluation
• Tracing
• The Integrated Test Facility
• The integrated test facility (ITF) approach is an automated technique that
enables the auditor to test an application’s logic and controls during its normal
operation.
• Parallel Simulation
• Parallel simulation requires the auditor to write a program that simulates key
features or processes of the application under review.