04.2 caat.pptx

Computer Assisted Audit Technology

Audit Around Computer Audit Through Computer+

Application Control

Testing Application Control

LEARNING OBJECTIVES

After studying this chapter, you should:

Be familiar with the classes of transaction input controls used by accounting applications.

Understand the objectives and techniques used to implement processing controls, including run-to-run, operator intervention, and audit trail controls.

Understand the methods used to establish effective output controls for both batch and real-time systems.

Know the difference between black box and white box auditing.

Be familiar with the key features of the five CAATTs.

3

Application controls:

“controls that pertain to scope of individual business processes or application system.”

AC Objectives:

Business Process Applica-

tion

Applica-tion

system

Input data:accurate, complete,

authorized, and correct.

Data: processed as intended in an

acceptable time period.

Data stored:accurate

and complete.

Outputs:accurate

and complete.

A record :maintained to track the process of data from

input to storage and to the eventual output.

1. Defining Application Controls

TYPES OF APPLICATION CONTROL

Defining Application Control

Input Controls – Check the integrity

of data entered into a business application, to ensure that is remains within

specified parameters.

Processing Controls –Provide an

automated means to ensure

processing is complete,

accurate, and authorized.

Output Controls –

Address what is done with the data

and should compare output results with the

intended result by checking the

output against the input.

Integrity Controls – Monitor data

being processed and in storage to ensure it remains

consistent and correct.

Management Trail – As an audit trail, enables mgt

to identify the trans and event

recorded by tracking trans

forward / backward. Monitor effective-ness of other control and

identify errors.

Input controls at this stage are designed to ensure that these transactions are valid, accurate, and complete.

Data input procedures can be either source:

document-triggered (batch): human involvement and prone to clrerical errors.

direct input (real time): real-time editing techniques.

Classes of Input Control

Input controls are devided into the following broad classes:

Source document controls

Data coding controls

Batch controls

Validation controls

Input error correction

Generalized data input systems

6

2. Input Controls

SOURCE DOCUMENT CONTROLS

Use Pre-numbered Source Documents.

Use Source Documents in Sequence.

Periodically Audit Source Documents.

DATA CODING CONTROLS

Coding controls are checks on the integrity of data codes used in processing. A customer’s account number, an inventory item number, and a chart of accounts number are all examples of data codes.

Error includes transcription and transposition

Check Digits = add extra digit, to detect transposition errors. (ex: 5372 + 4)

Batch Controls = Batch transactions sheet, then input to system by its batch.

7

2.1 Classes of Input Controls


Batch Controls: Effective method of managing high volumes of transactions. The objective : to reconcile output produced by system with the input originally entered into system.

This provides assurance that: All records are processed. No records processed > 1.

8


Audit trail of transactions is created from input through processing to the output.

Transmittal sheet captures inf:

A unique batch number A batch date A transaction code The number of records in the batch (record count) The total dollar value of a financial field (batch control total) The total of a unique nonfinancial field (hash total)


Hash Totals.

A simple control technique that uses nonfinancial data to keep track of the records in a batch. Any key field (customer’s account number, a PO number, or an inventory item number), is used to calculate a hash total.

Example, the sales order number (SO#) field for an entire batch of sales order records is summed to produce a hash total.

1432767345····965434537838 hash total

How this number can be of use? Assume that after this batch of records leaves data control, someone replaced one of the sales orders in the batch with a fictitious record of the same dollar amount.

How would the batch control procedures detect this irregularity?

The hash total, calculated by the batch control procedures, would not balance. Thus, the irregularity would be detected. 9


VALIDATION CONTROLS

Intended to detect errors in transaction data before the data are processed. Validation procedures are most effective when they are performed as close to the source of the transaction as possible.

There are three levels of input validation controls:

1. Field interrogation: Examine the characteristics of the data in the field.

Missing data checks: examine contents of a field for presence of blank space

Numeric-alphabetic data checks: determine the correct form of data in field.

Zero-value checks: used to verify that certain fields are filled with zeros.

Limit checks determine if the value in the field exceeds an authorized limit.

Range checks assign upper and lower limits to acceptable data values.

Validity checks compare actual values in a field against known acceptable values: to verify such things as transaction codes or vendor code.

Check digit controls identify keystroke errors in key fields by testing the internal validity of the code. 10


VALIDATION CONTROLS


2. Record interrogation: validate the entire record by examining interrelationship of its field values.

Reasonableness checks determine if a value in one field, which already pass a limit check and a range check, is reasonable when considered with other data fields in the record. Example: an employee’s pay rate of 18 dollars/ hour falls within an acceptable range. However, this rate is excessive when compared to the his job skill code of 693; this skill class never earn > $12/hour.

Sign checks: to see if the sign of a field is correct for the type of record being processed. Example, in a sales order processing system, $ amount field must be (+) for sales orders but (-) for sales return transactions.

Sequence checks: to determine if a record is out of order. In batch systems that use sequential master files, the transaction files being processed must be sorted in the same order as the primary keys of the corresponding master file. Hence, before each transaction record is processed, its sequence is verified relative to the previous record processed.

11


VALIDATION CONTROLS


3. File interrogation: ensure that the correct file is being processed by the system.

Internal label checks: verify that the file processed is the one the program is actually calling for. Files stored on magnetic tape should have an internal header label that is placed at the beginning of the file.

Version checks: verify that the version of the file being processed is correct. In a grandparent–parent–child approach, many versions of files may exist.

An expiration date check: prevents a file from being deleted before it expires.

12


Internal label check + Expiration check

INPUT ERROR CORRECTION

When errors are detected in a batch, they must be corrected and the records resubmitted for reprocessing. Three common error handling techniques:

Correct Immediately: in direct data validation approach, system should halt the data entry procedure until the user corrects the error.

Create an Error File: When delayed validation is being used, individual errors should be flagged to prevent them from being processed.

At the end of the validation procedure, the records flagged as errors are removed from the batch and placed in a temporary error holding file until the errors can be investigated, then corrected, and resubmit them as a separate batch for reprocessing.

Reject the Batch. Some forms of errors are associated with the entire batch and are not clearly attributable to individual records. An example of this type of error is an imbalance in a batch control total.

13


GENERALIZED DATA INPUT SYSTEMS (GDIS)

This technique includes centralized procedures to manage data input for all of org’s processing systems.

A GDIS has 5 major components:

1. Generalized validation module (GVM): performs standard validation routines to many different applications, then customized to an individual application’s needs. Ex: GVM may apply range check to the hourly rate field of payroll records, w/ range are $6 to $15.

2. Validated data file: the input data that are validated are stored temporary on a validated data file, through which validated transactions flow to their respective applications.

3. Error file: error records detected are stored in the file, corrected, and resubmitted to GVM.

4. Error reports: standardized error reports are distributed to users to facilitate error correction.

5. Transaction log: the transaction log (equivalent to the journal entry) is a permanent record of all validated transactions. 14


THE PROCESS OF GENERALIZED DATA INPUT SYSTEMS (GDIS)

15


Manual IC: require authorization both before the input and after a review, use of concise prenumbered forms, and train for data entry personnel.

Electronic IC: include user-friendly screen formats that prompt user for required information and use of required fields.

A field check: a check to see if information in an entry field is complete.

To protect sensitive information, keystroke verification requires data to be entered

Topic 12: Input Controls

twice by different person if possible, and highlights any differences. (e.g. confirmation PW change)

Format check: data is entered in an acceptable formats (e.g. date format).

Drop down menus: allow specific preset input (e.g. list of provinces).

• Edit check: automated test on data fields. Include:

Control totals: hash total sum of nonfinancial number that have no meaning. A change in hash total indicates a record change.

Range test: allow entry between range of numbers or characters.

Numerical test: prevent alphabetic entry in number fields.

Limit check: entries above particular number are prevented or need approval.

Check digit: an extra digit is added that has an algorithmic relationship to the remaining digits to show if the number was incorrectly entered by transposition. (e.g. credit card)

Record count: tallies the number of records.

Historical comparison: measures variance from past records.

Overflow checking: places a memory or length limit on a field to prevent larger numbers than maximum being entered.


• Inquiry log: track all read-only access to records.

• Automated inputs: automation reduces errors and increase input speeds. Include:

Optical character recognition (OCR): convert a scanned image into graphic data, then store, retrieve, and process graphic data. (e.g. scan shipping receipt into a database).

Scanners: a device that digitizes graphic images.

Radio frequency identification (RFID): use tag in packaging, RFID read tag via radio frequency and identify where the product is. Useful in tracking inventory. (e.g. DHL)

Bar codes: a machine-readable representation of data, allowing for rapid reading and processing of associated data (such as price or inventory level).

Magnetic ink character recognition (MICR): Included on check (bank transaction), and indicate check no., account no., routing no., and possibly check amount.


Processing controls are divided into 3 categories: 1. run-to-run controls, 2. operator intervention controls, and 3. Audit Trail Controls.

3.1 Run-to-Run Controls

Run-to-run controls use batch figures to monitor the batch as it moves from one programmed procedure (run) to another. These controls ensure that each run in the system processes the batch correctly and completely. Batch control figures may be contained in either a separate control record created at the data input stage or an internal label.

Specific uses of run-to-run control figures: Recalculate Control Totals.

After each major operation in the process and after each run, dollar amount fields, hash totals, and record counts are accumulated and compared to the corresponding values stored in the control record.

Transaction Codes.

The transaction code of each record in the batch is compared to the transaction code contained in the control record. This ensures that only the correct type of transaction is being processed.

19

3. Processing Controls

3.1 Run-to-Run Controls Sequence Checks.

In systems that use sequential master files, the order of the transaction records in the batch is critical to correct and complete processing. As the batch moves through the process, it must be re-sorted in the order of the master file used in each run. Sequence check control compares the sequence of each record in batch w/ the previous record.

Run-to-run controls in revenue cycle system:

Comprises 4 runs: (1) data input, (2) AR update, (3) inventory update, and (4) output. At end of AR run, batch control figure are recalculated and reconciled w/ the control totals passed from the data input run. These figures are then passed to inventory update run, where they are again recalculated, reconciled, and passed to output run. 20


3.2 Operator Intervention Controls

Systems sometimes require operator intervention to initiate certain actions, such as entering control totals for a batch of records Operator intervention increases the human error, thus need intervention controls.

3.3 Audit Trail Controls

The audit trail can become fragmented and difficult to follow, example of audit trail: Transaction Logs.

Every trans successfully processed by the system should be recorded on a trans log, which serves as a journal. System should produce a hard copy trans listing of all successful trans, then go to appropriate users to facilitate reconciliation w/ input.

21


3.3 Audit Trail Controls

Log of Automatic Transactions.

Some transactions are triggered internally by the system. Ex: when inventory drops below a preset reorder point, and the system automatically processes a PO.

Listing of Automatic Transactions.

The responsible end user should receive a detailed listing of all internally generated transactions.

Unique Transaction Identifiers.

Each transaction processed by the system must be uniquely identified with a transaction number. In real-time systems, which do not use source documents, the system should assign each transaction a unique number.

Error Listing.

A listing of all error records should go to the appropriate user to support error correction and resubmission.

22


• Processing control: automated errors checks built into computer processing as well as segregation of duties, such as controlling programmer’s access to files and records.

• Data center operator’s access to applications should be restricted to equipment and software installation and responding to errors, also override file names.

• A console log or system control file should track operators interventions.

• Access to configuration parameters within application must be controlled. Auditors should reconcile actual versus planned configuration.

• Completeness check: reject saving a record until all field are complete.

• Control totals: totals are recorded in a system control file when an application generates temporary files; an errors occurs if each control total doesn’t match.

• Date and file total check: logs of item and monetary totals with date and time stamps. Exact duplicate entries are flagged as errors.

Auditors test for processing controls by inserting known test data and comparing it against expected results (walkthrough-test or round-test?).

Topic 12: Processing Controls

Other processing controls, include:

• Suspense file: a file used to retain transaction processed with errors.

• Activity log: records actions of users by date, time, and access terminal (bedakan dengan ITGC).

• Processing logic test (e.g. posting check, zero balance check, cross-footing check): various check that verify if accounts or transactions are at the expected level (e.g. checking that an account actually has a zero balance after payment are processed, other example?)

• End-of-file procedures: prevent additional operations from taking place in a file when the end of the file reached.

• Primary and secondary key integrity check: verify encryption key security.

Topic 12: Processing Controls

Output Controls ensure that system output is not lost, misdirected, or corrupted and that privacy is not violated. Exposures of this sort can cause financial, reputation, legal losses.

The type of processing method (batch > realtime) in use influences the choice of controls employed to protect system output.

4.1 Controlling Batch Systems Output

Batch systems usually produce output in the form of hard copy, which typically requires the involvement of intermediaries in its production and distribution.

Controls each phase in the output process:

4.1.1 Output Spooling Control.

A spool is a temporary memory allocation for a system output. A computer criminal may use this opportunity to perform any of unauthorized acts:

Change critical data values (such as dollar amounts on checks).

Change the number of copies of output to be printed.

Make a copy of the output file to produce illegal output reports.

Destroy the output file before output printing takes place. 25

4. Output Controls


4.1.2 Print Programs Controls.

Print program controls are designed to deal with exposures:

(1) the production of unauthorized copies of output

(2) employee browsing of sensitive data.

4.1.3 Bursting Control.

The bursting clerk may make an unauthorized copy of the report, remove a page from the report, or read sensitive information. The primary control against these exposures is supervision.

4.1.4 Waste Control.

Computer output waste represents a potential exposure. Passing it through a paper shredder can easily destroy sensitive computer output.

4.1.5 Data Control.

Data control group is responsible for verifying the accuracy of computer output before it is distributed to the user. 26

4. Output Controls


4.1.6 Report Distribution Control

The primary risks include reports being lost, stolen, or misdirected in transit to user. Control includes the name and address of user should be printed on report.

4.1.7 End User Controls.

Once in the hands of user, output reports should be reexamined for any errors. Once a report has served its purpose, it should be stored in a secure location until its retention period has expired.

4.2 Controlling Real-Time Systems Output

Real-time systems direct their output to the user’s computer screen, terminal, or printer. This method of distribution eliminates the various intermediaries in the journey from the computer center to the user.

The threat to real-time output is interception, disruption, destruction, or corruption of the output message as it passes along the communications link. This threat comes from : (1) equipment failure; and (2) subversive acts, whereby a computer criminal intercepts the output message transmitted b/w sender and receiver.

27

4. Output Controls

Output controls: detective controls that find errors and verify the accuracy and reasonableness of output data after processing is complete. Output controls, as following:

• Error listings: auditors ensure that errors followed up w/o exceeding backlog limits, and corrected reports are resubmitted.

• Reference documents: when systems are interrupted, these logs show what was in memory at the time of the interruption.

• Spooling controls: a spool is a temporary memory allocation for a system output. These controls regulate data spooling method.

• Working documents: legal records, such as checks, invoices, or stock certificates are safeguarded. There are audit evidence that can detect if input really match outputs.

• Reports controls: include ensuring that the reports are accurate, simple, timely, and meaningful, and that sensitive data is secured using distribution controls.

• Exception reporting: highlight only unusual data, it helps to determine the sources of the error (human error, processing error).

Topic 12: Output Controls

5.1 Black-Box Approach (Around the Computer)

Auditors do not rely on a detailed knowledge of the application’s internal logic.

Auditors seek to understand the functional characteristics of the application by analyzing flowcharts and interviewing knowledgeable personnel in the client’s org.

The auditor tests the application by reconciling production input transactions processed by the application with output results. The output results are analyzed to verify the application’s compliance with its functional requirements.

29

5. Testing Computer Application Controls

The advantage of the black-box approach:

The application need not be removed from service and tested directly.

This approach is feasible for testing applications that are relatively simple.

5.2 White-Box Approach (Through the Computer)

Auditors rely on an in-depth understanding of the internal logic of the application.

Use several techniques for testing application logic directly. These techniques use small numbers of specially created test transactions to verify specific aspects of an application’s logic and controls.

Some of the more common types of tests of controls include the following:

Authenticity tests:

Verify that an individual, a programmed procedure, or a message (such as an EDI transmission) attempting to access a system is authentic. Authenticity controls include user IDs, passwords, valid vendor codes, and authority tables.

Accuracy tests:

Ensure that the system processes only data values that conform to specified tolerances. Examples include range tests, field tests, and limit tests.

30




Completeness tests:

Identify missing data within a single record and entire records missing from a batch. The types of tests performed are field tests, record sequence tests, hash totals, and control totals.

Redundancy tests:

Determine that an application processes each record only once. Redundancy controls include the reconciliation of batch totals, record counts, hash totals, and financial control totals.

Access tests:

Ensure that the application prevents authorized users from unauthorized access to data. Access controls include passwords, authority tables, userdefined procedures, data encryption, and inference controls.

31




Audit trail tests:

Ensure that the application creates an adequate audit trail, includes transaction log, posts data values to the appropriate accounts, transaction listings, and error files, and reports for all exceptions.

Rounding error tests/ salami test:

Verify the correctness of rounding procedures.

Employ Rounding Program Control.

In the salami fraud, there would be thousands of entries into criminal’s personal account, that may be detected. Clever programmer may disguise this activity by funneling these entries through several intermediate temporary accounts, which are then posted to a smaller number of intermediate accounts and finally to the programmer’s personal account.

32


6.1 Test Data Method Used to establish application integrity by

processing specially prepared sets of input data through production applications that are under review.

33

6. CAAT Tools and Techniques for Testing Controls

The results of each test are compared to predetermined expectations to obtain an objective evaluation of application logic and control effectiveness.

6.1 Test Data Method

Creating Test Data

Auditors prepare a complete set of both valid and invalid transaction, to test every possible input error, logical process, and irregularity.

Gaining knowledge of the application’s internal logic

Obtaining the test data used to test program modules during the implementation phase of the SDLC or creating additional test data that focus on the areas of the program changes.

Base Case System Evaluation (BCSE)

BCSE tests are conducted with a set of test transactions containing all possible transaction types. These are processed through repeated iterations during systems development testing until consistent and valid results are obtained.

34


6.1 Test Data Method Tracing

Tracing technique performs an electronic walkthrough of the application’s internal logic. Tracing procedure involves 3 steps:

1. The application under review must undergo a special compilation to activate the trace option.

2. Specific transactions or types of transactions are created as test data.

3. The test data trans are traced through all processing stages, and a listing is produced of all program instructions that were executed during the test.

35


Example shows records from 2 payroll files—a transaction record and 2 records from master file. The trace listing identifies the program statements that were executed and the order of execution. Analysis of trace options indicates that Commands 0001 through 0020 were executed. At that point, the application transferred to Command 0060. This occurred because the employee number (the key) of the transaction record did not match the key of the first record in the master file. Then Commands 0010 through 0050 were executed.

6.1 Test Data Method

Advantages of Test Data Techniques

1. They employ throughthe- computer testing, thus providing the auditor with explicit evidence concerning application functions.

2. If properly planned, test data runs can be employed with only minimal disruption to the organization’s operations.

3. They require only minimal computer expertise on the part of auditors.

Disadvantages of Test Data Techniques

1. Auditors must rely on computer services personnel to obtain a copy of the application for test purposes. The computer services may intentionally provide auditor with the wrong version of the application.

2. They provide a static picture of application integrity at a single point in time.

3. Their relatively high cost of implementation, which results in audit inefficiency. The auditor may devote considerable time to understanding program logic and creating test data.

36


6.2 The Integrated Test Facility An automated technique that enables the auditor to test an application’s logic and

controls during its normal operation. The ITF is one or more audit modules designed into the application during the systems development process.

ITF databases contain “dummy” integrated with legitimate records. During normal operations, test trans are merged into the input stream of regular (production) transactions and are processed against the files of the dummy company.

ITF audit modules are designed to discriminate between ITF transactions and routine production data, by assigning a unique range of key values exclusively to ITF trans.

37


Advantages of ITF

(1) ITF supports ongoing monitoring of controls., (2) Application w/ ITF can be economically tested w/o disrupting operation (efficient) and w/o intervention of computer services (reliable).

Disadvantages of ITF

The potential for corrupting the data files of the organization with test data.

6.3 Parallel Simulation Parallel simulation requires the auditor to write a program that simulates key features

or processes of the application under review.

38


Creating a Simulation Program

1. Auditor must first gain a thorough understanding of the application under review. Complete and current doc of the application.

2. Auditor must then identify those processes and controls in the application that are critical These are the processes to be simulated.

3. Auditor creates the simulation using a 4GL or GAS.

4. Auditor runs the simulation program using selected production trans and master file to produce a set of result.

5. Finally, the auditor evaluates and reconciles the test results.

Informasi Lebih Lanjut,Hubungi:

04.2 caat.pptx

Documents

data input procedures

processing controls

application controlinput

audit trail controls

number of records

effective output controls

application system

nonfinancial data