computer assisted audit tools and technique

COMPUTER ASSISTED AUDIT TOOLS AND TECHNIQUE

CHAPTER 7

APPLICATION CONTROLS

• Application controls are programmed procedures designed to deal with potential exposures that threaten specific applications, such as payroll, purchases, and cash disbursements systems.

• Application controls fall into three broad categories: input controls, processing controls, and output controls

Input Controls

• IC are designed to ensure that these transactions are valid, accurate, and complete.

• Data input procedures can be either source document-triggered (batch) or direct input (real time)

Classes of Input Control

• Source document controls• Data coding controls• Batch controls• Validation controls• Input error correction• Generalized data input systems

1.Source Document Controls

• Use Pre-numbered Source Documents.• Use Source Documents in Sequence• Periodically Audit Source Documents

2. Data Coding Controls

• Coding controls are checks on the integrity of data codes used in processing

• Three types of errors can corrupt data codes and cause processing errors: – transcription errors,

• Addition• Truncation• substitution

– single transposition errors, and – multiple transposition errors

How to detect coding errors

• Check Digits a control digit (or digits) added to the code when it is originally assigned that allows the integrity of the code to be established during subsequent processing

3. Batch Control• an effective method of managing high volumes of

transaction data through a system.• The objective to reconcile output produced by the

system with the input originally entered into the system. This provides assurance that:• All records in the batch are processed.• No records are processed more than once.• An audit trail of transactions is created from input through processing to the output stage of the system.

• Hash Total nonfinancial data

4. Validation Controls

• VC are intended to detect errors in transaction data before the data are processed

• There are three levels of input validation controls:a. Field interrogationb. Record interrogationc. File interrogation

a. Field Interrogation

• Examine the characteristics of the data in the field

• Missing data checks• Numeric-alphabetic data checks• Zero-values checks• Limit checks• Range checks

b. Record interrogation

• Validate the entire record by examining the interrelationship of its field values

• Reasonableness checks• Sign checks• Sequence checks

c. File interrogation

• To ensure that correct file is being processed by the system

• Internal label checks• Version checks• Expiration date checks

5. Input error correction

• Correct immediately• Create an error file• Reject the entire batch

6. GDIS

• centralized procedures to manage the data input for all of the organization’s transaction processing systems

• Advantage :– it improves control by having one common system

perform all data validation. – GDIS ensures that each AIS application applies a

consistent standard for data validation. – GDIS improves systems development efficiency

• 5 component of GDIS :– Generalized validation module (GVM)– Validated data file– Error file– Error reports– Transaction log

Processing Controls

• Run-to-Run controls, • Operator intervention controls• Audit Trail Controls.

1. Run-to-Run Controls

• use batch figures to monitor the batch as it moves from one programmed procedure (run) to another– Recalculate Control Totals– Transaction Codes– Sequence Checks

2. Operator Intervention Controls

• Systems sometimes require operator intervention to initiate certain actions, such as entering control totals for a batch of records, providing parameter values for logical operations, and activating a program from a different point when reentering semi-processed error records

3. Audit Trail Controls

• Transaction Logs– Log of Automatic Transactions– Listing of Automatic Transactions– Unique Transaction Identifiers– Error Listing

Output Controls

• ensure that system output is not lost, misdirected, or corrupted and that privacy is not violated

• Controlling Batch Systems Output– Output Spooling– Print Programs.– Bursting.– Waste– Data control– Report distribution– End user control

TESTING COMPUTER APPLICATION CONTROLS

• (1) the black box (around the computer) approach and

• (2) the white box (through the computer) approach

the black box approach

• do not rely on a detailed knowledge of the application’s internal logic

• The advantage of the black-box approach is that the application need not be removed from service and tested directly

White-Box Approach

• relies on an in-depth understanding of the internal logic of the application being tested.

• Authenticity tests, which verify that an individual, a programmed procedure, or a message (such as an EDI transmission) attempting to access a system is authentic

• Accuracy tests, which ensure that the system processes only data values that conform to specified tolerances. Examples include range tests, field tests, and limit tests.

• Completeness tests, which identify missing data within a single record and entire records missing from a batch. The types of tests performed are field tests, record sequence tests, hash totals, and control totals

• Redundancy tests, which determine that an application processes each record only once

• Access tests, which ensure that the application prevents authorized users from unauthorized access to data. Access controls include passwords, authority tables, user defined procedures, data encryption, and inference controls.

• Audit trail tests, which ensure that the application creates an adequate audit trail.

• Rounding error tests, which verify the correctness of rounding procedures

CAATT for testing controls

• the test data method, which includes – base case system evaluation and – tracing,

• integrated test facility, and • parallel simulation

Test data method

• The test data method is used to establish application integrity by processing specially prepared sets of input data through production applications that are under review.

• The results of each test are compared to predetermined expectations to obtain an objective evaluation of application logic and control effectiveness

• Any deviations between the actual results obtained and those expected by the auditor may indicate a logic or control problem

• 3 method of test data approach :– Creating test data prepare set of both valid and

invalid transactions– Base case system evaluation (BCSE) with a test

transactions containing all possible transaction types

– Tracing electronic walkthrough of the application’s internal logic

• three primary advantages of test data techniques. – they employ through the computer testing, thus

providing the auditor with explicit evidence concerning application functions.

– if properly planned, test data runs can be employed with only minimal disruption to the organization’s operations.

– they require only minimal computer expertise on the part of auditors

• The primary disadvantage of all test data techniques is that auditors must rely on computer services personnel to obtain a copy of the application for test purposes

The Integrated Test Facility

• ITF approach is an automated technique that enables the auditor to test an application’s logic and controls during its normal operation

• Advantages of ITF – ITF supports ongoing monitoring of controls as

required by SAS 78– applications with ITF can be economically tested

without disrupting the user’s operations and without the intervention of computer services personnel

• Disadvantages of ITF– the potential for corrupting the data files of the

organization with test data

Parallel Simulation• Parallel simulation requires the auditor to write a program that

simulates key features or processes of the application under review

• The steps involved in performing parallel simulation testing are outlined here.1. The auditor must first gain a thorough understanding of the application under review. Complete and current documentation of the application is required to construct an accurate simulation.2. The auditor must then identify those processes and controls in the application that are critical to the audit. These are the processes to be simulated

3. The auditor creates the simulation using a 4GL or generalized audit software (GAS).4. The auditor runs the simulation program using selected production transactions and master files to produce a set of results.5. Finally, the auditor evaluates and reconciles the test results with the production results produced in a previous run